A record of my academic addiction and occasional relapses David Ng, Jacky Ho, Christian Hercules, Cristian Bravo-Lillo, and Stuart Schechter. Do Password Managers Improve Password Hygiene?, Harvard University Tech Report, 2022 Stuart Schechter and Cormac Herley, The Binomial Ladder Frequency Filter and its Application to Shared Secrets., 2018 Yuan Tian, Cormac Herley, and Stuart Schechter, Using Guessed Passwords to Thwart Online Password Guessing in 2019 IEEE European Symposium on Security a...| stuartschechter.org
Getting people’s pronouns right is a struggle when attending large events, even when those running and attending the events care about gender inclusivity. When I watch others struggle with pronouns at these events, it’s both a relief that I’m not alone and a disappointment that we are all so bad at this. Even in 2023, most events I attend don’t even have pronouns on name tags.1 Even when they do, we can rarely read someone’s third-person pronouns off their name tag when we need them...| Posts on Mildly-Aggrieved (not mad!) Scientist
Mastodon’s current option for embedding posts (“toots”) on other websites is inefficient, inflexible, and insecure.1 It embeds posts via an iframe element which loads over a megabyte of content and scripts from the Mastodon server. That iframe gives those scripts full control over your webpage.2 You, the embedder, get no control over how the content is rendered on your page. Important content can be cropped out of view, as journalists have complained when trying to embed toots.| Posts on Mildly-Aggrieved (not mad!) Scientist
Before creating that dating profile… Consider that you might be travel outed (or trouted) The makers of dating apps mostly present ‘safety’ as a matter of managing the risks of interacting with matches online and in person, and not the risks of trusting an app to facilitate this process. Whether it’s safety guidance of Tinder 📄, Bumble 📄, Hinge 📄, Grindr 📄, or Feeld, the advice they offer focuses on these risks that exist whether you use an app or not.| Posts on Mildly-Aggrieved (not mad!) Scientist
Reviewing other’s work for the purpose of scoring it does not advance science. Scoring work does not help authors improve it. Scoring does not help a work’s audience understand the work, identify its limitations, or evaluate its credibility. Scoring does, however, undermine our objectivity as peer reviewers because scoring activates our biases. We are predisposed to like works that are familiar in approach, language, and style to our own work; we trust results more easily when they confir...| Posts on Mildly-Aggrieved (not mad!) Scientist
I’ve started self-hosting all my blog posts to wean myself away from commercial platforms. I wanted to support discussion, but didn’t want all the code infrastructure to support them. My blog is a static website. I wanted to keep it simple. But, I did want people reading my blog to feel invited to discuss articles and to see others’ discussing them. What I realized I really wanted was for my blog to mirror the discussion about an article that follows my announcement of the article on (n...| Posts on Mildly-Aggrieved (not mad!) Scientist
Would you try a new medication recommended in an article titled ‘Why You Need an Antidepressant’ that earns its publisher a commission each time someone clicks on a link to purchase the recommended product? I’d hope not. Yet, much of the news media openly collects commissions for recommending less-regulated products with surprising potential hazards. Consider password managers. The New York Times has, in fact, published an article with the headline ‘Why You Need a Password Manager.| Posts on Mildly-Aggrieved (not mad!) Scientist
I cringe when I hear self-proclaimed experts implore everyone to “use a password manager for all your passwords” and “turn on two-factor authentication for every site that offers it.” As most of us who perform user research in security quickly learn, advice that may protect one individual may harm another. Each person uses technology differently, has a unique set of skills, and faces different risks. In case you haven’t received this advice, or didn’t understand what it was, Passw...| Posts on Mildly-Aggrieved (not mad!) Scientist
Many online accounts allow you to supplement your password with a second form of identification, which can prevent some prevalent attacks. The second factors you can use to identify yourself include authenticator apps on your phone, which generate codes that change every 30 seconds, and security keys, small pieces of hardware similar in size and shape to USB drives. Since innovations that can actually improve the security of your online accounts are rare, there has been a great deal of well-d...| Posts on Mildly-Aggrieved (not mad!) Scientist
Conference and journals have a unique opportunity to influence research ethics, as researchers’ careers depend on their ability to understand and meet the requirements for having their research accepted for publication. In the past few years, a number of Computer Science conferences have added research ethics policies to their calls for papers. Good reasons for creating such a policy may include the desire to educate authors unaware of institutional review requirements or of resources that ...| Posts on Mildly-Aggrieved (not mad!) Scientist
The US government’s latest recommendations acknowledge that password composition and reset rules are not just annoying, but counterproductive. The story of why password rules were recommended and enforced without scientific evidence since their invention in 1979 is a story of brilliant people, at the very top of their field, whose well-intentioned recommendations led to decades of ignorance. These mistakes are worth studying, in part, because the people making them were so damn brilliant an...| stuartschechter.org