December 8, 2023

Bits Blog: Readers Respond: Password Hygiene and Headaches

Minh Uong/The New York Times

My article on Thursday about password hygiene prompted many e-mails from readers, some detailing their own struggles with online security, others ready with tips the experts missed.

One reader, Sean Hulbert, e-mailed to say he had spent 20 years in the security industry and occasionally “taunted hackers” to crack his passwords. “To this day, I have not been hacked,” he wrote. His secret? The Alt key.

In addition to the experts’ tip that a long passphrase — such as a song lyric or movie quote — should be used instead of a password and using only the first letter or letters of each word in the phrase, Mr. Hulbert said he makes his password stronger by translating the result using the Alt key. For example, assuming the site allows passwords with special characters, he might take this line from the film “The Princess Bride” — “Hello. My name is Inigo Montoya. You killed my father. Prepare to die.”— and convert it into the 15 character password: “HmNiImYkMfPtDie.” Holding down the Alt key (on a Mac) as you type would make that password: Óµ˜ˆˆµÁ˚ƒ∏†Îˆ´.

Hack that!

Another reader, Roger Bohl, wrote to say he memorizes the same basic password for every online account but tweaks it for each account by adding two or three letters based on his own simple algorithm. For example, he may start with “HmNiImYkMfPtDie” as his password for every account. Then he may add three or more letters based on the name of the vendor but amended slightly — maybe three letters down from the alphabet. So for Amazon, he may convert Ama to Dpd (“D” being three letters down the alphabet from the letter “A”, “p” being three letters down from “m” and so on) to make it: HmNiImYkMfPtDieDpd. For Chase, it might be: HmNiImYkMfPtDieFkd.

“Not unbreakable,” Mr. Bohl conceded. “But better than using a common password and easier to use than a list — and you don’t have to carry it with you.”

Many readers expressed frustration with the suggestion that they needed different passwords for every single site.  “Your suggestion to never use the same password twice is impractical,” wrote Daniel Dunn. “Why not, instead, reuse the same password in contexts where it really doesn’t matter if I am hacked?”

Indeed, while many experts advise against it, some concede that they will use a “throwaway” password for sites that do not store personal or financial information, like a recipe forum.

“I use a common browser/e-mail/password combination for what I perceive as low or no risk uses,” wrote Steve Patriquen. “I then ratchet up on complexity of my security based on the escalating risk.”

David Ziegelheim appreciated the tip about using different Web browsers for different Web activities, but thought it could be taken one step further. “It should really be coupled with a recommendation to delete all cookies on a regular basis,” Mr. Ziegelheim wrote. “For a browser dedicated to financial transactions the cookie should be deleted minimally every time the browser is closed.”

Those most critical of the article were — unsurprisingly — password protection software vendors like AgileBits, which sells 1Password software. AgileBits took issue with the fact that both cybersecurity experts cited in the story, Jeremiah Grossman and Paul Kocher, said they did not trust password protection software because they did not write it themselves, and because if their computer is stolen, hackers could access all their passwords.

“There is a very, very small handful of people who can get away with saying that they will only trust a password management system that they build themselves,” the company wrote in a blog post. “You should definitely not trust a password management system that you develop yourself.”

As for what happens to passwords if a computer is stolen, AgileBits said it designed its 1Password software with that possibility in mind. “We’ve made it very, very difficult for password cracking systems, such as John the Ripper, to recover your Master Password.”

The only people more angered by our password guide than AgileBits were devotees of Bruce Schneier, the security technologist and author.

“I remain skeptical of any article in this space that doesn’t quote or at least refer to Bruce Schneier,” one reader wrote on Twitter. (Indeed, it should be noted that Mr. Schneier designed Password Safe, a password management software that, like LastPassSplashData and AgileBits, stores passwords in an encrypted file that you can unlock with one master password.)

Finally, many readers (and even my editor) said that after hearing about my own harrowing experience with my computer’s webcam, they too were now covering their webcam’s tape with masking tape.

Article source:

DealBook: Abracadabra! Magic Trumps Math at Web Start-Ups

Minh Uong/ The New York Times

Over a decade ago, Internet companies promoted new ways to measure their business performance, introducing concepts like “eyeballs” and “mindshare” to investors.

Now the latest wave of Internet start-ups are adding their own particular yardsticks to the valuation vocabulary.

Try “Acsoi” — a metric so new that there’s no agreement on how to pronounce it. Depending on whom you ask, it’s either “ack-soy” or “ack-swa.”

Short for “adjusted consolidated segment operating income,” Acsoi is one of three yardsticks that Groupon, the online coupon giant, recommends investors use to determine how it is performing. It is essentially operating profit minus the company’s large online marketing and acquisition expenses — a highly nonstandard approach that had many scratching their heads.

Yet without it, Groupon would appear steeped in red ink.

The use of such metrics has come with a meteoric rise in valuations for companies like Groupon, LinkedIn and Facebook that has invited skepticism from analysts and people in the industry. They are questioning whether some business models — be they a social network aimed at professionals or a maker of online farm games — can endure.

“These hot private companies are revealing their numbers, and I for one am surprised how they’re not making money,” said Lisa R. Thompson, an analyst with the research firm Arcstone Partners. “Everything in my space I’ve looked at doesn’t make money.”

Those who worry that the new Internet boom may repeat the mistakes of the last one are concerned that investors will look only for the positive in these hot new companies — seizing upon metrics of the sort that Lynn E. Turner, a former chief accountant for the Securities and Exchange Commission, once called E.B.B.S., or “earnings before bad stuff.”

The question is whether the new wave of Web companies have sustainable businesses or are simply like Webvan and, mired in a search for profitability.

Pandora Media, for instance, has garnered acclaim for its online radio station format. But under the company’s current licensing deals, the more songs users listen to, the more Pandora pays in royalty fees, prompting some to question whether it will ever turn a profit.

In a research note on Pandora last week, Richard Greenfield, an analyst at BTIG Research, gave the company a sell rating and a price target of $5.50 a share.

Mr. Greenfield’s concerns about Pandora centered on a rise in competitors like Spotify and skepticism that Pandora’s efforts to increase advertising revenue would eventually lead to profitability.

Some of that pessimism appears to have deflated the buzz that surrounded the company’s initial public offering. Shares of Pandora closed Friday — their third day of New York Stock Exchange trading — at $13.40, down 16 percent from their I.P.O. price.

Groupon likes to use an innovative metric for its revenue, because standard accounting shows it steeped in red ink.Scott Olson/Getty ImagesGroupon likes to use an innovative metric for its revenue, because standard accounting shows it steeped in red ink.

It’s no surprise then that some new companies are trying to show their businesses in the best possible light.

Groupon’s business model is built on offering a variety of daily deals worldwide, pulling in $713.4 million in revenue last year. But it lost $450 million, as the company spent $444.7 million to lure in new subscribers to its newsletters and to acquire smaller competitors.

That’s where Acsoi comes in. By stripping out those costs, the company argues, investors can see just how the core business is doing, though it warns that the measurement should not be used to value the company. Using Acsoi, Groupon earned $60.6 million last year, more than 20 times what it reported in 2009. And in the first quarter of 2011 alone, it reaped $81.6 million.

And Groupon argues that it is choosing to spend large amounts of money now because it is important to acquire as many subscribers as possible, hoping to gain formidable scale as Amazon and Netflix have done in their own industries.

Groupon also says that the cost of maintaining subscribers, which is factored into Acsoi, is far lower than the expense of gaining them in the first place. That cost amounted to about 3 percent of revenue last year, though it rose to about 4.4 percent in the first quarter.

Groupon does offer two other measurements for valuation purposes, free cash flow and gross profit, both of which have a long basis in standard accounting rules. Groupon reported a tenfold rise in free cash flow last year, to $72 million, while its gross profit swelled to $280 million from $10.9 million the previous year.

Other new Internet companies also promote nonstandard accounting metrics. Demand Media, the publisher of thousands of amateur how-to articles, spreads out the cost of paying its army of contract writers over five years, arguing that the long life of its content means that those expenses are really a capital investment.

That accounting measure helps flip Demand’s financial results for the better. On a basis of generally accepted accounting principles, the company lost $5.6 million in the first quarter of this year. On an adjusted net income basis, it earned $5.1 million.

Demand Media also cites “adjusted Oibda,” short for operating income before depreciation and amortization, and a semi-popular nonstandard measure also cited by the likes of CBS and Time Warner.

Such moves bring to mind the last tech boom, when companies drew upon unusual accounting and business yardsticks to help explain their lack of profitability., for example, briefly reported profits that stripped out its then-steep marketing costs, not unlike Groupon. And Motorola incurred “special” one-time items so regularly that critics asked whether they were fundamental business costs.

Efforts to demonstrate viable business models did not end with customized accounting. Firms increasingly turned to nebulous new measurements like eyeballs and mindshare to represent the number of visitors a site attracted or how well-known it was among Internet users.

In hindsight, of course, all the eyeballs in the world couldn’t substitute for a viable business model. arguably achieved a tremendous amount of mindshare, with its spokespuppet appearing in a Super Bowl ad and in the 1999 Macy’s Thanksgiving Day Parade. Yet despite the media attention, the site, a pet food retailer, closed less than a year after its initial public offering, weighed down by an inability to profit from a single sale.

The latest generation of Web companies differs in many ways from its forebears, with many of its ranks drawing real earnings from advertising and other sources of income. LinkedIn generated $3.4 million in profit last year. Using adjusted earnings, which accounts for items like stock-based compensation, it reported nearly $48 million.

Facebook, the biggest social network, earned about $400 million atop $2 billion in revenue, people briefed on the company’s results have said.

And there is a precedent behind some of this accounting. Amazon contended that its huge marketing costs were necessary to get its name out. That bet ultimately worked for Amazon, which now towers over the online retail space. But the same didn’t hold true for

“That’s a perfectly legitimate way for companies to look at these things economically,” said Dennis R. Beresford, an accounting professor at the Terry College of Business at the University of Georgia. “The real question is, is that going to happen?”

Evelyn M. Rusli contributed reporting.

Article source: