Randall Munroe in his latest xkcd comic suggests that four random common words make a more secure password than a short, random word w/ substitutions.

There are some quibbles I have here – Randall is assuming that the form of the password is known in both situations, in which case the four-word password is obviously superior to the one-word password.  But in the first situation, do we really know that we’re going to have exactly 1 uncommon dictionary word, followed by a punctuation mark and a single digit?  Randall says “add a few more bits to account for the fact that this is only one of a few common formats” in the subtitle text, but if we add another uncommon base word (Randall estimates that there are 2^16 of them), we’re already up to 2^44 (the same difficulty level as the four-word password).  To top it off, we can add arbitrary punctuation/digits between base words.

Randall’s also overestimating the number of different words that people will use to craft a four-word password.  He gives an estimate of 2^44 that is derived (most likely) from the common estimate that there are roughly 3000 words in conversational English.  However, he doesn’t consider that certain sorts of words are grossly less common than others, and that a sequence of English words lends itself to crafting a word in particular patterns. In particular, if there are 3000 conversational English words, there are only a few ways to turn four words into a coherent sentence. English sentences are predictable, especially with common words.

Subject-Verb-Object gives the English language structure, but also makes passwords easier to guess.  By assuming common structures (as Randall does with the one-word password example), we can quickly define down the actual security level we’re going to realize.  For instance, there are only a few hundred (at most) prepositions in the English language.  In a user-constructed sentence, there is a high likelihood of one of these showing up.  If we had a few thousand of these passwords to analyze, we’d see obvious patterns – people would use "The" "A", "An" as the first word to the password with high frequency.  Easy, short nouns would be common.  Commonly misspelled words would be rarely used.  In other words, these passphrases would have structure.  Google already has a product that attempts to predict the next word you will type.  How well would similar machine learning attempts fare on these passwords, especially if given a first-word seed?

There are other psychological factors to consider.  "I Love You" would perhaps become even more popular as a password than it is now.  Shoulder-surfing (ie: looking over someone’s shoulder to steal their password) would become easier.  The human eye can pick out these patterns better than it can pick out someone typing Tr0ub4d0r&3.  On top of this, what’s to stop Alice and Bob from making their password "Eve is an idiot"?  Yes, people already make their password the name of their pet, but this will actually encourage it!  You’re telling users "yes, it’s quite alright to use common words".

I also don’t believe Randall’s claim that four random words are really easier to remember than one.  "Correct horse battery stapler" can just as easily be "Correct battery horse stapler" or "Correct horses battery stapler".  If the words are really "random", they won’t be easy to remember.  If they are not random, they won’t be secure. 

That’s really how it is with all passwords – there’s always going to be a trade-off between passwords being easy to remember and secure, unless the user has some truly private store of knowledge.  The best solution to this?  Muscle memory.  Learn to type a randomly-generated string of characters and learn it well.  Use and abuse it, and never forget a password again.

Vincent Wong (@fttechfounder) put together a slideshow on Google+ (in both senses of the world) entitled “What G+ is really about (psst!!! it’s not social)”

Wong makes a great point – that the new Google+ toolbar means that soon all the Google services (docs, maps, etc) will probably be shared via the Google+ social network.  And he (correctly, in my mind) assess that this will create headaches for Microsoft and Apple.

However, I don’t think Wong is right when he says that Facebook and twitter don’t have to worry.  Wong cites, through the course of his presentation, basically one reason why Facebook and twitter are safe: size.  It’s not a bad point – Facebook has 750 million users.  If you read a name a second on Facebook you wouldn’t get done reading for 24 years.

Of Stickiness and the Color of Oceans

The only thing keeping people on Facebook is the network – and as anyone who uses Facebook knows – your network, while comprised of hundreds of friends – is really centered around 10 or so of your close friends (“strong ties” in the parlance of psych research) who you interact with on a daily or weekly basis.  Everyone else is kind of floating out in the Land of Wishing you a Happy Birthday and Not Much Else*. 

* it’s a sad, sad Kingdom -  pretty much the opposite of Disney World

That’s why the Invite mechanic of Google+ has been so potent: when a person goes to Google+, they bring their closest friends with them via exclusive, shiny invites.  Even if only half your close friends come with you, that pretty much fragments Facebook’s user base.  In the interim, people will be checking both Facebook and Google+ (as I currently do), but in the long-run, people who use Gmail, write on Google Docs, get directions from Google Maps, and read Google News (not to mention search the web via Google) will constantly be reminded of their Google+ presence rather than their Facebook presence.  My guess: Chrome integration is on the way, and soon.

What does this mean?  Wong could still be right – headaches for Facebook and twitter could just be side-effects of Google+’s real aim.  He claims Google is employing a “Blue Ocean Strategy” (odds that MBA’s everywhere just got really excited: 90%) which is basically a short way of saying that Google+ is trying to create a new product space instead of competing against established players in the old “Red Ocean”* space.

* Red, because competition turns the oceans bloody.  Bloody! Blue Oceans are clear sailing and open waters! As long as we’re going with the metaphor, ‘I’d say that Roger Godell and David Stern are currently employing Brown Ocean strategies w.r.t their respective leagues.

It IS Facebook vs Google+

But really, do we need two Identity Platforms – two places to check what our friends have to say and to see pictures of their nephews and daughters and cats?  Of course not – Google knows that Facebook and Google+ are in competition.  Everything about their Circles product is phrased as “and this is NOT like X” (where X is something that Facebook does).  Facebook certainly knows it.

But Facebook and Google+ are radically different in the way in which they are social.  Dhanji Prasanna, an ex-Google+ team member, notes that the core complaints that Google+ was designed to address (outlined in Google UX researcher Paul Adam’s excellent slideshow “The Real Life Social Network”) were misunderstood by Facebook.

Prasanna writes: “I had originally assumed that he meant facebook would lack the agility to make the necessary technical changes, so central to their system. But I was wrong–the real point was that they would not be willing to change direction so fundamentally. And given such a large, captivated audience you could hardly blame them.”

The executive summary of what Adams says: Online social networks do not let people differentiate between groups of connections and share different content with them.  To the contrary, Facebook saturates the user with too much content and puts too much of the onus on a user to censor themselves and think deeply about repercussions every time he or she shares content.

It’s all true – and Google+’s circles are a step to combat this problem.  But I think the real killer feature of Google+ is actually, ironically, a subtraction rather than an addition.  Wait for it:

And the Wall Came Tumbling Down

It’s the lack of the wall.  When you move from Facebook to Google+, you can no longer write on someone’s profile.  There’s just no way to do it.  You can’t wish them a happy birthday on their wall.  You can’t share a cool link on their wall.  You can’t post a picture on their wall.  You can’t even say “hey, what’s up” on their wall.  The reason: letting someone else write on your profile gives them control over what people who look at your profile see.  It fundamentally doesn’t make sense to anyone who might be judged on the content of their online profile.

You can still “share” content with someone in a manner similar to twitter – you tag them in a post.  But like Twitter, no one else who simply looks at your profile can see messages sent to you.  You are in complete control of what people who see your profile see.   Newt Gingrich can stop being worried about what a crazy extremist fan or opponent of his will post on his profile – because now, when someone goes to Gingrich’s Google+ page, they don’t see what his rabid fans and rabid enemies think* – they see what he thinks.

* Because honestly, who else posts on a politician’s public Facebook page besides the crazies?

I’ve always hated Facebook’s Wall.  I’ve never understood why people post “hey, we haven’t talked in a while – hit me up” on my wall instead of sending an email.  Everyone needs to wish everyone else a Happy Birthday publicly for the entire world to see, but it’s the most superficial form of communication possible – nothing of substance or personal value can be said, and there is little to no obligation to actually respond.  The Facebook Wall acts mostly as a form of social proof (more psych jargon!) whereby people see that you’re cool enough to have other people talk to you (or uncool enough that no one writes on your wall!).  People are eager to see if someone wrote on their wall not because they want to be communicated with, but because it makes them look good if other people see that they are being communicated with.

So to recap – the lack of the wall gives Google+ three advantages: First, it lets you control the content of your own profile to maintain professionalism and control your own image.  Second, it kills farcical conversations that are aired in public for inexplicable reasons and thus encourages real dialogue via email or chat.  Third, it turns a social network from an exercise in social gamesmanship into a place you can go to communicate in groups.  That’s why, in my mind, the lack of a wall is Google+’s killer feature.