Aug 20, 2008

Protecting your privacy by using base64 encoded inline images + table images for IE

While creating LastPass we wanted to show an overlay on the page when you autologin to a site. We ran into an issue though: if we used a image on that overlay, the image would leak the referring URL -- a privacy leak that we wanted to avoid.

In Firefox, there is a relatively straight forward and elegant solution: use an inline base64 encoded image. This method is covered here: http://www.websiteoptimization.com/speed/tweak/inline-images/

This was great, but Internet Explorer doesn't support inline images unfortunately; we found inspiration for the solution here: http://ddzoom.net/jsimages/ and adapted it to create pure HTML not javascript. Using a table to create an image will probably make you squirm, but it works.

The overlay we are creating is in HTML, and IE can render tables quickly, so we gave it a shot and it worked great, much faster than the javascript version (because it skips all the reading and it ultimately creates a table itself).

Granted this is a very small image (our logo), and we probably wouldn't do it if we needed a very large image, but it accomplishes the goal while protecting your privacy which makes us happy.

Aug 19, 2008

How people deal with password overload today

Working on LastPass.com for the last few months has given me the chance to question quite a few people about their current password habits. It's been eye opening to hear just how many people use the same exact password for any application they're faced with, completely not recognizing or not caring about the risk they're facing.

The people that do recognize the risk, typically 'tier' their passwords, making a strong one for the sites they care about the most, and a lower level one for ones they care about less.

Both of these are pretty flawed approaches because some companies are radically better at authenticating users than others; the most secure companies (like LastPass) use https (encrypted data passing), create a one way hash of your password client side (so your password never leaves your computer), and salt that hash against that for what they store.

Unfortuantely almost no companies are that careful, many allow you to send your password over a non-encrypted channel to them, then store your exact password unencrypted in their databases and will even send that password to you over email (which is also insecure), meaning that there's at least 6 distinct ways your password could fall into a nefarious person's hands for just that one site (sniffed over the network, taken by an employee at the company, sniffed over the network between the company and your email provider, sniffed over the network between the email provider and you, taken by an employee at your email provider, and stored unencrypted in your email client) .

Handling passwords the right way isn't hard if you have software that will create and remember strong passwords for you.