Using a Plus to Simplify International Dialing

When I travel out of the country, I usually test out new VoIP services both for calling back to the states and receiving calls while I am traveling. I consistently find that while the rates for VoIP services are very attractive, the user experience and flexibility is often lacking when I traveling, particularly with limited network connectivity.

Depending on the length of my stay, I purchase a prepaid SIM to use in a spare unlocked mobile phone so that I can make and receive local calls at local rates. Since most countries outside of the US offer free inbound calls, having a local SIM is even more attractive, although navigating voicemail prompts in another language can be challenging. I often use one of the VoIP services to forward a my United States phone number to my international cell phone number so that I can let friends and family reach me without incurring international charges on their part. Rates for calling international mobile phones range from $0.15 to $0.30 a minute, so be careful who you give your forwarded number to if you try this method.

Calling from multiple devices and multiple services is where plus dialing standard becomes important. People who make regular calls overseas from a mobile phone or a VoIP service will likely be acquainted plus dialing. However, I find that there is often confusion about what plus dialing is and how it works from people who only dial international numbers using landline phones. For those interested in the details, the official specification dialing using the international prefix symbol (commonly known as a plus) is the ITU specification E.123 : Notation for national and international telephone numbers, e-mail addresses and Web addresses

If you want to dial a phone number in another country using a standard landline phone, you need to dial extra digits. Let’s pick an imaginary number in the Netherlands 011 31 20 00012345 as an example. The breakdown for this number follows: The international dialing prefix is 011 for the US, The country code for the Netherlands is 31, the city code for Amsterdam is 20, and the remainder is the local number. We are now used to dialing ten digits for long distance call in the US. For example, (415) 555 1212, which corresponds with the country code, area code, local prefix, and last four digits.

The problem is that the number you call depends on what country you are calling from. Dialing the same number in the Amsterdam from Brussels requires a slightly different number 00 31 20 00012345. Also, in many countries there is a local digit added to the numbers for in country dialing, so the number might look like this 31 0 20 00012345.

Plus dialing is a more straightforward option for mobile phones, VoIP phones, and newer business phones. With plus dialing the phone network can assume that the number is a complete international number and treats the same way no matter what country you are in when you dial the number. The one constraint is that your phone must me able to dial a plus.

Under the new system, you dial a plus, the country code, city code, and then the local number. For example, +31 20 00012345 as opposed to 011 31 20 00012345 or 31 0 20 00012345. Dialing a phone number in the United States would take the form of +1 415 555 1212. The nice thing is that once you have your numbers in plus dialing format you don’t have to worry about variations when you travel. You can dial the same number from your cell phone and a VoIP call such as from Skype. Most cell phones can dial using the plus symbol, although the correct key combination is not always obvious. Most landline phones cannot dial a plus.

I internationalized my entire address book, so the number will be correct independent of my current location. Since I synchronize my address book with my mobile phone and my VoIP soft phone address book, I only need to store and use one form of the phone number.

* This article originally appeared as Using a Plus to Simplify International Dialing in my Messaging News “On Message Column.”

Trends in Password Masking Security and Usability

John Gruber’s Daring Fireball pointed me to Jakob Nielsen’s Alertbox column Stop Password Masking, which resulted in a thoughtful and interesting thread of conversations and a few experimental solutions. Password masking refers to the practice of displaying an alternate character, usually a star or a bullet in place of the actual characters typed into a password field. The idea is that this prevents another party from viewing the password while it is entered. Nielsen argues that in most cases masked passwords are not needed since should surfing is not a major issue and that this is even less of an issue on mobile devices. He says masked passed passwords often reduce usability by increasing the number of errors since users cannot see what they are typing. This problem is further compounded on mobile devices where typing is more difficult and slower. Since users are less certain about what they are typing, they are much more likely to choose passwords that are simplistic or copy and paste the passwords from less secure locations. Nielsen says that high value password forms should offer an optional checkbox for masking passwords so that they can be used on an as needed basis.

Jason Montgomery’s Response to Nielsen’s “Stop Password Masking” on the SANS Institute’s The Application Security Street Fighter Blog that provides a more nuanced commentary on the tradeoffs between security and usability for password masking. Montgomery argues that Nielsen’s points are valid and suggests that password managers, pass phrases, and two factor authentication can sidestep some the problems by increasing the security of stored passwords as well as the ease of recalling them. Earlier I reviewed, 1Password, a password manager for Mac and iPhone that I use daily.

Bruce Schneier, a respected security expert, agreed with Nielsen in his brief response, The Problem with Password Masking. His post generated a large number of comments, which caused Schneier to temper his opinion in a later article The Pros and Cons of Password Masking. Schneier concludes that even though there are significant downsides to password masking, the practice is less problematic than either not masking passwords at all or complicating the interface with an optional password masking checkbox. The second article also generated a thoughtful discussion in the comments. In Strong Web Passwords, Schneier summarizes the Usenix HotSec07 article Do Strong Web Passwords Accomplish Anything? by Florencio, Herley, and Coskun, which argues that complex passwords do little to increase security when adequate policies are in place to limit the number of password attempts. Schneier suggests that the password masking feature on BlackBerries with SureType (non-QWERTY) keyboards and the iPhone (see: iPhone 2.0 password masking) that shows the current character and masks all previous characters is a reasonable alternative.

Farhad Manjoo’s Slate Magazine column, Fix your terrible, insecure passwords in five minutes, offers a solid set of suggestions for creating better passwords and describes why this is important in light of the recent Twitter break in. Macworld’s Joe Kissell offers his own set of suggestions for creating better passwords in a series of articles listed in Top password tips

The ongoing discussion led several developers to create prototypes that demonstrate password masking techniques. Each implementation has an online demo and source code publicly available. All prototypes are currently written in jQuery.

  • Stefan Ullrich’s iPhone-like password fields using jQuery and Oliver Storm’s Mypass each implements a password masking field similar to the iPhone and BlackBerries with SureType that displays the current typed character, but masks all previous characters by replacing them with bullets.
  • Byron Rode’s showPassword is a jQuery plugin that implements a password entry field that defaults to fully masking the password with bullets, but also includes Nielsen’s proposed checkbox to display the password when requested.
  • arc90 created two experimental password masking implementations. The first, HalfMask creates a masking effect by placing translucent random characters on top of the original password characters. This allows the person entering the password to view the original, with some concentration, but makes it far more difficult for another person to casually observe the password. The second implementation, HashMask, masks the password in a standard way by replacing each character typed with a bullet, but adds a visual representation of the password in the form of a Sparklines. This way the person entering the password has a visual indication that the password is correct, although they need to remember the Sparkline.
  • Mattt Thompson’s Chroma-Hash was inspired by arc90’s HashMask and masks passwords in the standard way, but adds a visualization of the password as it is typed using colored bars generated from a hash of the password. This allows users to quickly check that the visual representation is correct before entering submit. It has the side benefit of allowing fast comparisons when password confirmations are required for entering new or changed passwords. Lee Gao created pyChroma, a Chroma-Hash implementation in Python, which has source, but unfortunately no online demo.

Finally, Kevin Vigneault describes considers several other related options in his post Confirming Passwords Is Annoying: Is There a Better Way?, which was a result of a thread on IxDA “Confirm password” field – Superfluous? that appeared several months before Nielsen’s column.

* This article originally appeared as Trends in Password Masking Security and Usability in my Messaging News “On Message Column.” Article updated July 31st, 2009 to add additional references.

TripIt Shows the Value of Combining Email, Web and APIs

TripIt is a free service that simplifies organizing travel plans. The service has done an excellent job of making it painless to aggregate the collection of email receipts that you receive from airlines, hotels, car rental companies and travel agencies into one master itinerary. In order to use TripIt, you simply forward any email receipts to plans@tripit.com. The service extracts the reservation information from the message and assembles an attractive and very functional master itinerary from all the disparate documents. TripIt supplements the existing information with seating charts, information about local weather and events. Tripit supports a large number of travel-related vendors and regularly adds new ones based on demand.

I have been using TripIt for about a year and a half for both business and personal travel. TripIt provides many methods to access your travel information. There are three separate web-based interfaces–one for desktop browsers, one tuned specifically for the iPhone and one for other mobile web browsers. The service makes it possible to access your data via email, SMS, .ics calendar feeds and RSS feeds. TripIt recently added an Application Programming Interface (API) for developers that is rapidly expanding the number of options.

By default, trips are private. If you choose to add “connections” to other TripIt users, the service will then display trip basics including your destination and the dates you are traveling. You can choose to share trips and allow other individuals to view details such as flight and hotel information for a specific trip even if they are not TripIt users. You can also designate “collaborators” that make may changes or additions to an itinerary. While TripIt does have a number of social network features, these are not required to make the service useful for valuable.

Automatic account creation is one aspect of TripIt that illustrates how well email is integrated with the service. An account is created for you the first time you email TripIt a travel receipt. There is no need to go up through a separate sign up process, although you do have to assign a password the first time you log in.

One of my favorite talks from last year’s Web 2.0 Expo in San Francisco was “Making Email a Useful Web App” from Andy Denmark of TripIt. He made the argument that email is still interesting as an access point for web-based applications. He placed TripIt in a historical context of email driven applications such as the old email-based Internic domain registration forms. Denmark also mentioned TrackMyShipments, an online package tracking service, which is also email receipt-based. I like this service as well and will review it in the future.

The release of a TripIt developer API, immediately led to a number of useful connections to external service such as LinkedIn for sharing travel plans with business connections, Plaxo for integration with Plaxo Pulse and Plaxo Pulse, expens’d, which links with TripIt data to simplify travel expense reporting.

In some ways, TripIt competes with Dopplr, but in reality the services have minimal overlap and I think they are complimentary. Dopplr’s focus is on the social and visualization aspects of travel, while TripIt excels at many disparate travel documents and producing a useful master itinerary. I really look forward to the day when a developer connects these two services via their APIs.

I have very few complaints about TripIt, one is that it is difficult to retrieve older trips, which are sometimes useful when double checking records for expensing, etc. A brief history is available in the profile, otherwise you will need to find an old email from TripIt containing the URL from the trip to view the old itinerary.

The API connection potentially improves the situation for using your own historical TripIt records. That said, it would still be nice if TripIt created a way to easily view historical trips in the browser. This data is currently available in the calendar files and RSS feeds, but these are not convenient for most users to quickly look up a previous travel itinerary online. (Update: Thanks to a comment from TripIt’s Scott Hintz, I now see that the earlier trip history is available, just a little out-of-the-way. Thank you Scott.)

I have long wished that TripIt had a native iPhone application. The web-based iPhone interface is well done, but the master itinerary is also useful when I am without network connectivity such as on the plane or in a subway or when data is expensive such as on an international trip. This problem has effectively been solved with the release of the API as third party developers have begun to create applications that work with existing TripIt data.

There are now two travel applications for the iPhone that are able to sync with TripIt, FlightTrack Pro and TravelTracker. I have not yet seen applications for other mobile platforms such as BlackBerry or Android that will sync with TripIt data, but I would be surprised if the did not begin to appear up sooner than later.

The first application, FlightTrack Pro (iTunes Store link $9.99) is the big brother to the FlightTrack live flight tracking application. FlightTrack Pro can also synchronize flights with TripIt to automatically load upcoming trip information. The application includes features that appeal most to frequent fliers including arrival and departure times, aircraft type and flight maps. The application can download current information on flight status, any delays or cancellations and weather conditions over the air. FlightTrack Pro caches this information so you can review the details even after you are in the air and offline.

The second application, TravelTracker (iTunes Store link $1.99) is an iPhone application helps to track the large and small details related to travel such as airline, car and hotel reservations, frequent flyer account numbers. TravelTracker has a long heritage as it has been available for Palm OS since 1998. The application contains a number of internal databases including airports, Amtrak stations and a number of customizable shopping, packing and sightseeing list related to travel. TravelTracker includes the ability to keep track of expenses and includes a large number of default categories to select from. The application provides links to the internal browser to look up flight information, airport maps and seating charts.

TravelTracker provides several options for importing and exporting data. The application supports emailing itineraries as plain text, html or CSV. Users can independently backup or restore TravelTracker data via a desktop helper application. There were Windows and Mac OS9 desktop companion applications for the PalmOS version of TravelTracker. There is currently no stand-alone desktop applications that are compatible with the iPhone version.

The developer of TravelTracker makes a separate application called Flight Update ($5) that provides real-time flight information, which will hopefully also gain TripIt support in the future. If the user has them installed, TravelTracker would benefit from providing links to either Flight Update or FlightTrack as both are significantly more usable than switching to the built-in browser to look up information.

Third party iPhone applications are not allowed to access entries from the iPhone calendar, so neither FlightTrack Pro nor TravelTracker can place entries directly into your calendar on the iPhone. As a practical matter, this is not really a problem. TripIt provides its own .ics calendar feed that you can subscribe to from desktop calendars such as iCal or Outlook or from web-based calendars such as Google Calendar or the Hotmail Calendar.

* This article originally appeared as TripIt Shows the Value of Combining Email, Web and APIs in my Messaging News “On Message Column.” Minor corrections, URL, and pricing updates September, 13, 2010.

You should follow me on Twitter.