Weekly output: password managers, exposure-notification apps, talking tech with Mark Vena

Six months ago, I expected to be busy tonight packing for the IFA tech trade show. But although that conference in Berlin is proceeding on a drastically-scaled-down basis, I’m not flying to Germany tomorrow because of the European Union’s ban on Americans traveling to the EU. Given how thoroughly we’ve botched this pandemic, I can’t blame them for imposing that restriction.

8/24/2020: Extra security or extra risk? Pros and cons of password managers, TechRepublic

I shared my experience with password managers–mainly LastPass and 1Password–with TechRepublic’s Veronica Combs for this overview of the advantages and disadvantages of these services.

8/25/2020: COVID-19 tracking apps, supported by Apple and Google, begin showing up in app stores, USA Today

Writing a lengthy report for O’Reilly about contact-tracing apps did not mean I could write this much shorter piece from memory and my existing notes. In addition to getting useful adoption data from Virginia’s Department of Public Health about its COVIDWISE app, I also reported that VDH plans to support a national key-server project from the Association of Public Health Laboratories that will let these state-developed apps relay and receive warnings of potential COVID-19 exposure across state lines.

8/28/2020: SmartTechCheck Podcast (8-28-20), Mark Vena

I talked about exposure-notification apps, the future of tech events like IFA, 5G wireless and Apple silicon with my analyst pal at Moor Insights & Strategy–another tech type who would have been packing for Berlin tonight but is instead grounded. You may notice a break in the recording about halfway through, when I had to get a glass of water so I could resume speaking normally. Note to self: Before sitting down to record a 45-minute podcast, make sure a glass of water is on the desk.

Weekly output: password peril, mobile-hotspot help, Facebook’s Oversight Board

I had been holding out hope that I could return to business travel, even if just once before fall or winter, to cover America’s return to launching astronauts to space–SpaceX’s Demo-2 test flight of its Crew Dragon capsule, scheduled for May 27. I’d put in for a press pass and had a confirmed assignment from a name-brand client, and I was willing to figure out how I’d not lose money on the trip later on. But on Monday, I got the e-mail that many other journalists received, saying that NASA could not accommodate me at the Kennedy Space Center because social-distancing dictates required drastically limiting the number of press on site.

I’m not surprised and I’m not that upset. I’ve already seen three launches from the press site at KSC–the penultimate and final Space Shuttle launches and the February 2018 debut of the Falcon Heavy rocket–and that’s three more than I had any reasonable expectation of seeing 10 years ago.

5/5/2020: We still stink at passwords, and there’s really no excuse, Fast Company

I got an advance look at a study published by LastPass, the password-manager service that I used to use. The study confirmed earlier reports that people reuse way too many passwords but reported curiously high adoption of two-step verification–but did not gauge how many of us now employ password managers.

5/8/2020: All of the COVID-19 Data Upgrades That Cell Phone Carriers Are Offering, Wirecutter

I inventoried the ways that the big four wireless carriers as well as their prepaid brands and their major resellers have made it easier to share your smartphone’s bandwidth with nearby devices via its mobile-hotspot function. As you can see in the comments, it looks like I got one service’s information wrong; Google Fi has raised the limit at which it will slow down your connection, but not in a way that will lower most customers’ bills.

5/9/2020: Facebook’s Oversight Board, Al Araby

As one third of a panel discussion on this Arabic-language news network, I talked about Facebook’s new Oversight Board and its odds of changing things at the social network. My main point: While this equivalent of a Supreme Court is empowered to reverse Facebook decisions to take down or keep up content, Facebook’s automated rankings of the priority of content appear to be outside its orbit.

First impressions of 1Password

After several years using the same password-manager service–and then paying for its premium version–I’ve spent the last few weeks trying an alternative.

I can credit a sales pitch that included the italicized phrase “completely free” for this departure: 1Password’s offer of a free membership to journalists, in celebration of World Press Freedom Day this May 3. But I was also overdue to spend some time in a password manager besides LastPass.

So far, I’m impressed by the elegance of the interface but a little put off by how persnickety 1Password can be to set up. You don’t just create a username and password, you also have to type in a complex and random secret key to get going.

Having read this Toronto-based firm’s documentation of how this extra step helps ensure that a successful guess of your password still won’t compromise your account, I get where they’re coming from. But I’m not sure I’d recommend it to just anybody, especially not when LastPass’s free version suffices for many casual users.

Further time with 1Password’s Mac, Windows and Android apps has revealed other things I like:

This time has also surfaced one thing I don’t like: an incomplete approach to two-step verification that seems to require choosing between running an authenticator app on your smartphone or employing a weird Yubikey implementation that requires running a separate app instead of just plugging a standard USB security key. That’s no better than LastPass’s inflexible notion of two-step verification.

I’d like to see 1Password improve that and support the WebAuthn standard for security-key confirmation. But I’m prepared to give them some time, based on everything else I’ve seen so far.

Here’s my Web-services budget

The annual exercise of adding up my business expenses so I can plug those totals into my taxes gave me an excuse to do an extra and overdue round of math: calculating how much I spend a year on various Web services to do my job.

The result turned out to be higher than I thought–even though I left out such non-interactive services as this domain-name registration ($25 for two years) and having it mapped to this blog ($13 a year). But in looking over these costs, I’m also not sure I could do much about them.

Google One

Yes, I pay Google for my e-mail–the work account hosted there overran its 15 gigabytes of free storage a few years ago. I now pay $19.99 a year for 100 GB. That’s a reasonable price, especially compared to the $1.99 monthly rate I was first offered, and that I took too long to drop in favor of the newer, cheaper yearly plan.

Microsoft Office 365

Getting a Windows laptop let me to opting for Microsoft’s cloud-storage service, mainly as a cheap backup and synchronization option. The $69.99 annual cost also lets me put Microsoft Office on one computer, but I’ve been using the free, open-source LibreOffice suite for so long, I have yet to install Office on my HP. Oops.

Evernote Premium

This is my second-longest-running subscription–I’ve been paying for the premium version of my note-taking app since 2015. Over that time, the cost has increased from $45 to $69.99. That’s made me think about dropping this and switching to Microsoft’s OneNote. But even though Microsoft owns LinkedIn, it’s Evernote that not only scans business cards but checks LinkedIn to fill in contact info for each person.

Flickr Pro

I’ve been paying for extra storage at this photo-sharing site since late 2011–back when the free version of Flickr offered a punitively-limited storage quota. This cost, too, has increased from $44.95 for two years to $49.99 a year. But now that Yahoo has sold the site to the photography hub SmugMug, the free tier once again requires serious compromises. And $50 a year doesn’t seem that bad, not when I’m supporting an indie-Web property instead of giving still more time to Facebook or Google.

Private Internet Access

I signed up for this virtual-private-network service two years ago at a discounted rate of $59.95 for two years, courtesy of a deal offered at Techdirt. Absent that discount, I’d pay $69.95, so I will reassess my options when this runs out in a few months. Not paying for a VPN service, however, is not an option; how else am I supposed to keep up on American news when I’m in Europe?

LastPass Premium

I decided to pay for the full-feature version of this password manager last year, and I’m already reconsidering that. Three reasons why: The free version of LastPass remains great, the premium version implements U2F two-step verification in a particularly inflexible way, and the company announced last month that the cost of Premium will increase from $24 a year to $36.

Combined and with multi-year costs annualized, all of these services added up to $258.96 last year. I suspect this total compares favorably to what we spend on news and entertainment subscriptions–but that’s not math I care to do right now.

LastPass shows how to do two-step verification wrong

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

Weekly output: LTE hotspots, Techdirt, SOTU, password managers, Washington Apple Pi, Tech Night Owl, old IE versions

I had a relaxing week after CES… no, that’s not right.

Wirecutter LTE hotspot guide1/11/2016: Best Wi-Fi Hotspot, The Wirecutter

My overdue update to this guide to LTE hotspots endorsed a Verizon model and gave a secondary endorsement to an AT&T hotspot with lesser battery life. We then revised the update after it posted to note that the Sprint reseller Karma had downgraded an initially-promising unlimited-data option.

1/12/2016: Techdirt Podcast Episode 56: The CES Post-Mortem, Techdirt

I ran into Techdirt’s Mike Masnick at CES, and on our respective ways out of town he suggested I appear on his podcast. I said that would be a great idea.

1/13/2016: State of the Union’s Technology? What Obama Didn’t Say, Yahoo Tech

The tech-policy story about this SOTU address is how little attention tech policy got. I’d still like to know what led Reuters to think that self-driving cars would get a mention in the speech.

1/14/2016: Tip: How to Make Sure Someone Can Access Your Passwords in an Emergency, Yahoo Tech

The 4.0 update LastPass rolled out right before CES added an emergency-access feature, so I used this tip to tell readers about that and Dashlane’s comparable emergency-contacts option.

1/14/2016: Afternoon Learners SIG, Washington Apple Pi

I stopped by a meeting of this Apple users’ group to share my thoughts about CES–and to hand out some PR swag and USB flash drives.

1/16/2016: January 16 2016 — John Martellaro and Rob Pegoraro, Tech Night Owl

I talked to Gene Steinberg about what I saw at CES, from UHD TVs to the Internet of Insecure Things.

1/17/2016: What to do after Microsoft ends support for older browsers, USA Today

The easy answer to Microsoft’s end of support for older Internet Explorer versions is “install IE 11.” But that browser isn’t the same app in Windows 7 as it is in Win 8 and 10, and updating your browser doesn’t end your Web-security chores.

Weekly output: LastPass, wireless bridges

At the start of this week, I had different topics in mind for each of these two columns, and then things happened. I also made a quick run up to New York Thursday for a few tech events, then wrapped up the visit with a pilgrimage to the top of One World Trade Center. I’ll repeat the D.C.-NYC trip tomorrow but will stick around longer–CE Week runs Tuesday through Thursday.

6/16/2015: My Password-Manager Service Got Hacked. Things Could Be Much Worse., Yahoo Tech

I had filed a different column by the time my editor and I separately decided: Hey, this news about a password-manager service’s security breach is column-worthy. After this piece went up, LastPass updated its original blog post with a clearer explanation that’s worth reading.

USA Today wireless-bridge post6/21/2015: Wonky Wi-Fi on one device? Take it to the bridge, USA Today

In this case, I hadn’t filed anything–I couldn’t, because I was waiting for an answer to a reasonably simple technical query from a company that had already exhibited… let’s say, a slow PR metabolism. Fortunately, a reader had e-mailed a question that I could answer without needing any spokespeople to chime in first. It didn’t hurt that the headline came to mind almost instantly.

Correlation or causation: Verizon, LastPass and last weekend’s USAT column

The reaction to last weekend’s USA Today column has been interesting and a little confusing.

LastPass logoOn one hand, I’ve seen a variety of reader reports–more in reader e-mail and in comments on the post I wrote here first to see if this was a wider problem as well as on the Facebook page post in which I shared the column than in comments on the column itself–of other Verizon login failures.

On the other hand, Verizon is now thinking that this is related to my using LastPass. My PR contact there said that one of his colleagues had noticed the screenshot in my post here revealed that I use that password-manager service and suggested I try disabling its extension in the problematic copy of Safari.

I thought that a somewhat ridiculous suggestion, since each time I’d typed in the password instead of letting LastPass enter it for me. But once I did that, I could log in normally. And when I enabled it again, I got the same login failure as before. There’s correlation here. Causation? I don’t know.

I e-mailed LastPass’s CEO Joe Siegrist (not because I thought this a CEO-level issue, but because we met a few years ago and I’ve always found him quick to reply to a query) to ask his people to look into things.

If they can reproduce and, better yet, document a problematic interaction, that would be good to know and a good thing to add to the column. If they can’t (a distinct possibility considering that the guy I quoted in the column having a similar problem, PhoneScoop editor Rich Brome, told me he doesn’t use LastPass), the mystery will continue.

In the meantime, I’ll throw this question out there: If you use LastPass, have you seen any other cases of a login with a valid password failing?