Own your own credentials!

Login with Google. Login with Facebook. It’s convenient. No need to invent and remember a new username, a new password. It’s almost a single-sign-on (SSO) to the entire internet.

The obvious downside, however, is that within a second you could see yourself locked out of many of your accounts. Just imagine that for some reasons your identity provider (Google, Facebook, Apple, …) decides that you have violated their terms of service. And locks you out of your account, and as a consequence also of all the services that you used the account for. Too few people consider this, in my opinion. It can happen quite fast (recent example involving AI).

Of course you can then try to fight this lock and argue your way back into the account. But you need to be very lucky to even get some human’s attention on the other side. Unless you somehow manage to make a huge buzz on it on (social) media, I bet your chances of getting the issue resolved are pretty thin. Google is even proud that you can’t call them in order to sort this thing out (see Google’s Account Recovery support page; yes, they are right that you should not use any external password recovery service).

Don’t get me wrong. I love SSO in a company context. But there is an admin that I can talk to in case something goes wrong, and if my account is terminated, it likely is because my employment is terminated. I just don’t like it for my personal data, where some (perceived) violation of some terms of service of one of the big companies might lock me out of all my other unrelated accounts as well.

I very strongly believe, that anyone making themselves a gatekeeper for things outside their own business should be, by law, required to not terminate your account without any recourse. Yes, they can stop doing business with you. But they should not be allowed to stop authenticating you.

Passkeys as alternative?

For a while, it seemed that Passkeys would become a convenient and secure way of signing in to services. I, however, only started to consider them once KeepassXC with 2.7.7 started offering support for managing them inside the password store, so that I could backup it and would not be depending on a hardware device that could break or that I could lose.

Unfortunately, it really seems that the big companies are using this technology yet again to lock you in their ecosystem, creating exactly the same problem for me as I have with the “Login with…” system. The following articles are a very good summary of what went wrong and also why the current standard and the insistence to resident keys have made this system basically unusable for the concerns I mentioned above.

Maybe good support in password stores (like Bitwarden/Vaultwarden, KeepassXC, Keepass2Android) can maybe still make this a viable alternative. The cryptographic advantages of passkeys over normal username/password are great, so I really think it can be an improvement in the future.

Staying with usernames and password manager (for now)

For now, I’ll still stay with my own setup using my self-managed password stores. With all the work and dangers this incurs as well (backups, distribution, availability).

To quote from the article mentioned above, something that I can absolutely endorse:

And I’m starting to agree – a password manager gives a better experience than passkeys.

That’s right. I’m here saying passwords are a better experience than passkeys. Do you know how much it pains me to write this sentence? (and yes, that means MFA with TOTP is still important for passwords that require memorisation outside of a password manager).

So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.

tr.im to be shut down

To emphasize my demurs against URL shortening services which I have mentioned before, here comes the prove that my thesis is correct: the URL shortening service tr.im is going to be shut down by end of this year. As Robert Scoble put it, this is a “shortcoming” of the Twitter platform, where the shutdown most likely will be felt most.

This is the first time I am aware of actual knowledge/data-loss which will occur due to the shutdown of such a service.

Update: tr.im announced that they will stay in business, due to an overwhelming response. But still, the final shutdown of such a service sooner or latter can and will happen. And even worse would be the continuation of such a service where all the URLs would be redirected somewhere else…


URL shortening services soon to be under siege?

I have already written about my opinion about the problems of URL shortening back in 2005. Yesterday, Jeff Atwood pointed out other issues like commercialization. Today, another threat has come true: hackers have manipulated the URLs of shortening service cli.gs.

Given the huge amount of information hidden behind such shortened URLs, and given the popularity and number of these links, especially nowadays on Twitter, these services could see themselves being under permanent siege of hackers/crackers. Being able to manipulate hundred of thousands if not even more vastly distributed and popular URLs to point to a given site could be used for both, generating (lots of?) ad-revenue, or as a new form of DDoS-attack.

At the moment there seems to be no way around using these services (especially with services like Twitter), but in the medium/long run a solution has to be found if we don’t want to lose lots of valuable information.

You have the right to remain silent

paragraph symbol with shadowIf you speak German and you have about an hour of time, you should watch the video of the presentation of Uwe Vetter at the 23C3 on house searches and how to deal with the police in such situation, especially if “you have nothing to hide”.

Uwe Vetter is the author of the law blog, a well-recognized blog on German law and justice. He is lawyer and has been blogging for several years now.

The video is really entertaining and informative with a lot of nice information and background stories about a situation I hope I’ll never face. It covers the situation in Germany, but I expect that many of the advises given also apply to Austria and other countries.

Short URLs: Future Loss of Knowlege

Short URLs, as provided for instance by TinyURL.com or MakeAShorterLink, are now commonly used when posting to newsgroups or mailinglists. These links are primarily used to get rid of the problem of wrapped URLs in many NNTP/Mail-Clients as well as to make the posts more readable.

Unfortunately, these links also provide a problem regarding future retrieval of information. Often, the short URLs are only valid for a certain amount of time, afterwards they cannot be resolved anymore. When searching newsgroups on the hunt of a problem, I sometimes come accross such invalid links. Nothing angers me more than when reading “just see http://xxx.xxx for the solution” and having no possibility to retrieve the information.

tinyurl promises on its front-page to create an URL that […] will not break in email postings and never expires. Quite some challanging promise, isn’t it? makeashorterlink.com is more conservative in their promise, they only tell that it is going to last a very long time.

I do not want to say that these services are not senseful, on the contrarary, there are many cases where they are senseful. Long links in mails, postings, and instant messages are quite a pain sometimes, but the problem, especially in support forums and newsgroups is, that in my opinion the chances are higher that the short URL service will discontinue than that all archived postings will expire.

Of course, one could argue that the chances are as well that the real URL hidden by the short URL is not valid any more. This will also result in loss of information, without any doubt. If such a commonly used service is discontinued, a lot of URLs become invalid at once where the hidden URL is lost forever while the service behind it might still be available.

There is another point about the short URLs as well: I usually want to know where I am going before clicking a link. That’s also impossible with short URLs.

So, what to do about it? In my opinion, whoever wants to should continue using the services; I sometimes use them as well. But one should also add the long URLs at least to the end of an e-mail or a posting. They might be unclickable due to line breaks, but in case the short URL expires, it is still possible to reconstruct the link by hand.