Boston   |   Silicon Valley

Blog

Password Managers: 2014 Heartbleed Edition

Posted by Robert Mohns on April 14, 2014. Tagged: best practices, technology

Lock down Heartbleed!Password managers, thanks to Heartbleed, are top of mind this week. While nothing can save you from sites with truly idiotic password requirements, a good password manager tool makes it tremendously easier to prevent identity theft and fraud.

Dan wrote about password managers back in 2009, but that's so five years ago. I took an informal poll around the office and here's what iMarcians use today, as well as a few others that are well-reputed.

(Impatient? Jump to the TL;DR.)

1Password:

  • https://agilebits.com/onepassword
  • Platforms: Windows, Mac, Android, iPhone, iPad
  • What's special about it: It does pretty much everything, pretty much everywhere. Very configurable strong password generator; integrates tightly with Chrome, Firefox, Safari and IE; syncs across your devices using Dropbox (or iCloud); insanely deep organization (tags, favorites, folders); secure notes; software licenses; manages and auto-fills credit cards and multiple identifies into web forms. iPhone/iPad version includes a built-in browser, handy for banking.
  • Pros: Powerful, runs on all the big four platforms.
  • Cons: Not cheap. $50 for Windows or Mac, or $70 for a cross-platform bundle. $15 for iPhone/iPad (currently on sale for $9). Also, the Android version is read-only; you can't add and edit new passwords.
  • It's currently on sale for half off the usual price.
  • More iMarcians use 1Password than any other tool.

Password Hash:

  • https://www.pwdhash.com or http://crypto.stanford.edu/PwdHash/
  • Platforms: Firefox, Chrome, Opera, iPhone.
  • What's special about it: Creates a custom password for any website using one password of your choice. Implemented as a browser extension for desktop Firefox, Chrome and Opera.
  • Pros: Free and easy. Very effective at blocking website phishing attacks.
  • Cons: No official mobile support, but there is a $0.99 iPhone app, KeyGrinder, that implements the same algorithm and is thus compatible.
  • One iMarcian uses this.

LastPass:

  • https://lastpass.com
  • Platforms: Browser extensions for Safari, Firefox, Chrome, Opera, Internet Explorer. Native app on Windows Phone, Blackberry OS 7, Blackberry Playbook, Symbian, Android, WebOS.
  • What's special about it: Supports two-factor authentication.
  • Pros: Runs everywhere. Everywhere. If you have one of the great-but-gone WebOS tablets or Blackberry Playbook, LastPass has you covered. Free-as-in-beer for desktop PC/Mac use.
  • Cons: Advertising-supported. Paid subscription is required for mobile access (but at $12/year, it's cheap).
  • One iMarcian uses this.

 KeePass:

  • http://www.keepassx.org
  • Platforms: Linux, Windows, Mac
  • What's special about it: It's free-as-in-liberty – GPL 2.0 open source license.
  • Pros: Source code hosted at GitHub. Fork it yourself!
  • Cons: Clunky. Autofill remains an "experimental" feature years after its introduction, and Linux-only.
  • No iMarcians use this.

mSecure:

  • https://msevensoftware.com/home
  • Platforms: Windows, Mac, Android, iPhone, iPad, Windows 8 Phone
  • What's special about it: Optional self-destruct feature to beat brute force attacks. Works on Windows 8 Phone. Syncs using Dropbox.
  • Pros: If you use Windows 8 Phone, this appears to be your best bet. Inexpensive; just $20 for Windows or Mac.
  • Cons: Windows 8 Phone version doesn't yet support Dropbox sync.
  • No iMarcians use this.

Go be forth, be secure, and encryptify:

Aside from picking a tool that supports your computers and/or mobile devices, which you use is largely a matter of personal taste. I suggest…

Power user's delight: 1Password or LastPass.

Free as in Beer: LassPassKeePass or PwdHash.

Free as in Liberty: KeePass or PwdHash

Finally, here is a list of top sites that you should change your password now. Get to it!

OpenSSL “Heartbleed” vulnerability status

Posted by Robert Mohns on April 11, 2014. Tagged: engineering

This Tuesday, a new OpenSSL security vulnerability was announced (with a fix). We're committed to security, and although we usually don't comment, such a high-profile report as this merits a public note. The short version is, if we host your site, you're safe.

We use OpenSSL for encrypting certain connections to and from the servers that host many of our clients' sitesWe immediately checked all our servers. Most of our servers were not running the vulnerable version, so they were never vulnerable to Heartbleed.

Twelve of our clients' sites were running the vulnerable version. While there's no evidence that any of these servers were compromised, we upgraded OpenSSL with the fixed version that day.

Due to the widespread nature of this vulnerability, we recommend changing your passwords across the web. (If you don't use a password manager tool, now's a good time to start. Here's an article by iMarc engineer Dan Collins with some tips on picking a password manager. I'm fond of 1Password, which works on Windows, Mac, Android and iOS.)

You can find more info on the vulnerability at http://heartbleed.com/.

If you have any questions for us, please contact us at support@imarc.net.

Ring the gong! More site launches!

Posted by Nils Menten on April 2, 2014. Tagged: clients, content, creative, strategy

Holy smokes, did everyone come out of the woodwork in the last 4 months! In 16+ years I cannot recall a busier period, and it seems like a lot of pent-up demand has finally been released. We are happily busy!

We launched several new projects in the past few months, and several more are just about to. Here are a few highlights:

SSH Security

ssh_website

The security pioneer that founded this company developed one of the most important and fundamental technologies that we use every day in our work - the "Secure Shell Protocol". We jumped at the chance to build a site for them. 

I'm going to be flatly immodest and say this site is fantastic, one of the best we've ever built, and that is true in large part because they were great collaborators. It's a big site, containing lots of pages and content but the navigation is effortless and intuitive to use. It's fully responsive, and so works perfectly on any browser on any device or platform, Jared and the team created a really modern, clean design that's right on brand. And the back end systems are rock solid, the CMS easy to use. This site was launched on time to be unveiled at their biggest yearly event and the feedback internally and externally has been excellent. More to come with SSH!

Network for Excellence in Healthcare Innovation (NEHI)

nehi_homepage

These guys are like family to us after all these years, and we were grateful that they came back to us to redevelop the site we build for them back in 2006. NEHI is an organization at the center of some of the most critical dialog in healthcare - asking the question, "How can we fix health and health care in the US?". The network of leading healthcare organizations that make up their membership represent some of the best minds in healthcare today and they do not shy away from the tough questions. NEHI 'holds the umbrella' that facilitates the dialog and the sharing of ideas, bringing these people together for common cause.

This is another responsive site and so works perfectly on any device all the way down to a smartphone. Great content and valuable information is the product, and it's front and center - news and policy information, documents, research, white papers. It's all well organized and clear, yet there is a little "discovery" that takes place as you browse the site. Another great user experience, and a strong result from the design and UX team, with our usual back-end finesse, using our super-easy-to-use SiteManager content management system. 

A great result, they were thrilled and so were we. Ready for another 5 years of growth and innovation! 

the_launch_gong 

P.S. We really DO have a gong, a real one and a virtual one you are welcome to use anytime for YOUR celebrations. Visit http://gong.imarc.net

Pirated!

Posted by Kevin Hamer on April 1, 2014. Tagged: culture

For April 1st this year, the iMarc site was pirated. By "pirated", I

mean that our site received an overnight change to a pirate theme.

iMarc.net Pirate Edition

The pirate edition of iMarc.net makes use of the CSS3 sepia filter to give the site a vintage feel. Our traditional font, Fjord One, was swapped out for the more adventurous Pirata One. CSS3 Animations were used to layer some simple waves across the bottom of the page, Lastly, most of the content throughout the homepage was rewritten to fit.

April Fools Day has always been a personal favorite of mine. It serves as a reminder create some of the unexpected and to not take anything too seriously.

Setting the Mood with Mood Boards

Posted by Jared Laham on March 19, 2014. Tagged: creative, design

moodboards

Setting the Mood
When starting a design project, it's important to establish a clear definition of branded visuals and tone before moving forward with design deliverables. In most cases, clients have a well defined brand style guide at the ready, which helps clarify and reinforce visuals to come. However, what if a client doesn't have a (good) style guide and they aren't sure what exact aesthetics they are looking for? Mood boards to the rescue!

What's a Mood board?
For that very reason, iMarc's creative team uses a process called "Mood Boarding" to get farther faster. Mood boarding is a design exploration that leverages color palettes, stylized photography, typography, iconography, patterns, and layouts to develop a look and feel within a unified concept. In other words, an educated rough design that attempts to visualize what a client is asking for. 

Unfortunately, mood boards have been given a bad reputation as random boards of inspiration or abstract gatherings of "liked content". Truth be told, any step forward in a design process that adds clarity and identifies a creative direction is a valuable one. Designing a homepage is a calculated and time consuming process.  By exploring moodboards before a homepage design, you can quickly prototype multiple look and feels much faster than you would iterating on multiple home pages.

Create your own Mood board
At iMarc we take mood boards further than simply bundling elements onto a page, by establishing a strong concept that helps tie all elements on the mood board together. We have found the following process works well to strengthen your concept while getting better buy in from clients.

  • Collect inspiration from everywhere and anywhere;
  • Distill into no more than 3 concepts - Too many options, too many "frankensteins";
  • Show a variety of color palettes - Color is strongly tied to mood, so don't be shy in showing some serious contrast between palettes;
  • When in doubt, Latin to the rescue - Words are powerful on their own, and if a piece of marketing copy isn't exactly right, this can hinder further consideration of the board. If you don't quiet have the messaging nailed down, just use Lorem Ipsum. It still shows typography, hierarchy, and content density;
  • Talk about the board before showing it. Think of this as your drum roll before unveiling each board. Rather than rattle through the boards and ask "what do you think?". Create breakdowns for each board, clearly calling out the concept, elements and brand attributes associated with it.

Keep your mood happy
These boards should be light work and fun to create. Don't spend more than a few hours on each board and feel free to break out of your normal style of design while creating them. I like to look at moodboards as an opportunity to try a new technique or explore a new typeface without feeling too committed or fearful of usability. Mood boards aren't for everyone but if you ever find yourself not sure what visual direction will really resonate with a client, try showing them a few moodboards and see what happens. But beware designer friends, the biggest pain point with moodboards is the fact that when writing the word moodboard, every text editor and email client will auto correct it to "moldboard" and let's face it, no client wants those — yuck. So beware! Good luck and happy mood boarding.

To help you get started with your visual discovery, we have created a simple template to aid you in your next mood board. 

download_template

Download iMarc Mood Board PSD Template (.ZIP)

RequireJS Per-Page Modules

Posted by Jeff Turcotte on March 12, 2014.

We're trying out RequireJS  on a new project. It lets our Javascript be nice and modular with a single entry point and script tag.

One of the initial issues that I ran into with the implementation was doing per page modules. We like to organize our scripts by the page (or CMS tool) that is using them. If you are writing a one-page application fully controlled by Javascript, than you don't have this issue, the single entry point will work just fine. If you need to load a module per page, there's not really a great standard technique for doing so. The best example of how to do per page modules is described here: https://github.com/requirejs/example-multipage, but I found this way to have a pretty big downside: Useless "shim" files. Each page is required to have it's own javascript file (or inline javascript) to load your app-wide configuration javascript and then the page-specific module.

For our project, we decided to do it a different way, RequireJS already uses the data-main attribute on its script tag to load up your main entry file, so I decided to use another data attribute to specify the per page module.

We are using Twig templates for this application, so the implementation looks like this:

 

With this implementation, we just need to set the script variable on the template and the RequireJS bootstrap file will use it to load up the proper module. So far, this has been working out great and is a much more elegant solution than anything else I've come across.