Monday, January 9, 2012

Personal finance software: chucking Mint for YNAB

A cousin recently put me on to You Need A Budget — a personal finance software package. I just spent some time this weekend setting it up with my wife. Maybe we’re still in the ‘honeymoon phase’ of budgeting, but it feels really good to be on top of our finances and to have a flexible plan for our spending.

YNAB feels refreshingly like a “Quicken Rebooted” would feel. After a couple of years trying “finances in the cloud” a-la-Mint, returning to using a traditional program that just runs on your own computer feels like the right thing to do. I once again have control of my own financial data, and will never have to worry about potential security breaches at unregulated third-party services like Mint.

YNAB insists that you manage your transactions the Old Way: by entering them yourself. The fact that this feels very right was/is quite a surprise to me, but when it “clicked,” it felt like it had been a long time coming. When I signed up for Mint, the automatic behind-the-scenes importing of all my transactions seemed like a brilliant way to streamline things, but it turned out to have some fatal downsides. Mint’s connection with my bank was always spotty, and their automatic categorization of my spending was never more than about 60-70% accurate. This meant I had to go in and regularly sift through all my spending, making sure each transaction was properly categorized — a process even more unpleasant and tedious than just entering them myself. It wasn’t long before I stopped using it altogether. So when I read this on YNAB’s website, it jived a lot:

“We do not directly connect with your bank, log in with your username and password, and download transactions for you. That kills awareness and promotes a “set it and forget it” mentality that lets you not revisit your budget for months, leaving you right back where you started. We’ll import downloaded transactions (OFX, QFX, QIF) to make sure you’ve captured every transaction, but bank importation should not be the primary means of entering data into YNAB. (Use your phone and record it as the transaction happens, or make entering receipts a 5-minute daily ritual. Your money will thank you for it. Promise.)”

But the biggest difference between YNAB and the Mint approach is that while Mint is geared towards passive capture of past spending, YNAB’s workflow puts planning future spending at the center1. I won’t dive into that here, but you should know that this approach is what will make even using finance software worth your while. If you are familiar with the increasingly-popular envelope system of budgeting, or with financial planning evangelists like Dave Ramsey, YNAB will fit right in with those paradigms and help you implement them.

Coming down from the cloud

YNAB’s non-cloud approach means you won’t have completely seamless access to your main financial data store from any browser or from your iPhone. When you think about it, that actually might not be a problem. Do you really need that kind of access? Financial planning isn’t one of those things that inherently benefits from being decentralized.

YNAB tries to strike a middle course by supplying iPhone and Android apps that let you record transactions on the go for easy syncing later. I haven’t yet tried these apps out; I’m not yet sure whether it’s even worth the added complexity for me personally. I can just as easily keep receipts or type transactions into a note app on my phone.

Ideally, a YNAB mobile app would allow automatic background syncing between two phones, so that my wife and I would have quick, seamless access to where our budgets are at, but YNAB’s app isn’t there yet2. But in my view, it all goes back to a focus on planning rather than capture. If my wife and I actually have a plan in place for our monthly spending, we pretty much know going into the day where our money is going to go, and up-to-the-minute syncing becomes much less important. Again, I wonder if this is one of those situations where automatic syncing — an inherent “feature” of the cloud approach — would actually be counterproductive in this field, by allowing you to take the easy road and react to spending events, rather than relying on proactive planning.

NB: I’m not an affiliate of YNAB in any way, nor am I being compensated in any way for this overview.


  1. Mint had budgeting tools, but they were clumsy to use and always felt like something of an afterthought. 

  2. YNAB’s website says that they “are actively working on ways to improve the entire synchronization of your budget data across not only the mobile apps but multiple desktop installations as well,” but they decline to offer a timeline. 

Wednesday, January 4, 2012

Encryption and DropBox: Comparing TrueCrypt and BoxCryptor

If you’re a DropBox user, you may have heard about the security weakpoints associated with their cloud storage service (or any such service):

  1. DropBox has had security issues that left users’ information exposed to hackers for hours at a time. Could it happen again? Certainly.
  2. DropBox staff have the ability to access your files without your knowledge. They have acknowledged that essentially the only thing between their staff and your data are internal company policies. This is much weaker than zero-knowledge systems like SpiderOak, where it is not even technically possible for staff to access users’ files without the user’s key.

Even knowing these weaknesses, I use DropBox anyway. Having access to some (not all, obviously) potentially sensitive files on multiple computers/phones is helpful enough for me to find some way to mitigate the security risks.

It’s important to note that if you’re putting sensitive files on DropBox purely as a backup solution, you should just stop. Find some other way to back those files up. But if, like me, you find it extremely helpful to have access to certain moderately sensitive files from multiple devices, you should find a way to add a layer or two of security to those files before storing them on a cloud service like DropBox.

There are two good ways that I have found to do this. Both are free, and neither involve sending any of your data or keys to an additional third party — all the magic happens on your computer or device. However, there are trade-offs associated with each.

The TrueCrypt Option

The most commonly offered solution is to place your sensitive files in a TrueCrypt volume and save that volume file into your DropBox.

Pros:

  • TrueCrypt is open source, making it the most trustworthy and future-proof option
  • For extremely sensitive info, TrueCrypt allows you to maintain plausible deniability.

Cons:

  • There is currently no way to use or access TrueCrypt volumes on your phone. This is true both for iPhones and Android phones.
  • TrueCrypt volumes need to be given a fixed size at the time of creation, forcing you to guess how big it’ll need to be in the future and usually resulting in wasted space.
  • You need to be careful not to have the volume “mounted” on more than one computer at a time to avoid corrupting it. Because there’s nothing to prevent you from doing this, you can easily end up corrupting the volume or creating a lot of large “conflict copies” of the volume by accident if you forget this.
  • Because DropBox can’t back up changes to any of your encrypted files until you actually unmount the whole volume, you have to remember to unmount it periodically, which can be cumbersome.

The BoxCryptor option

BoxCryptor is a newer solution that works by encrypting individual files on your computer, before they are sent to DropBox. Like TrueCrypt, the software runs on both Windows and Mac OS.

Pros:

  • BoxCryptor has an Android and an iPhone version of their software, making it possible to access encrypted DropBox files from your phone.
  • The software has limited compatibility with the open-source EncFS encrypted file system, making it at least somewhat future-proof
  • File-level encryption makes it much less clumsy to use, and allows DropBox to sync encrypted files just as seamlessly as normal files, and without additional likelihood of conflicts where multiple computers are involved.

Cons:

  • The iPhone app is $8 for non-commercial use. This seems stupidly high, considering the Windows and Mac versions are free and they have no back-end infrastructure to maintain.
  • No form of plausible deniability is available in either the desktop or mobile versions of the software.
  • BoxCryptor is not open-source, so ultimately your trust in the software comes down to your faith in Robert Freudenreich’s ability to correctly implement the security algorithms, to keep maintaining the software, and not to spy on his users. I’m not saying he’s untrustworthy, just that non-open software comes with risks and weaknesses. The security community at large does not have a way of thoroughly and independently evaluating the software, and that represents a security weakness, for one. Furthermore, if Robert or his company lose interest in the software (which can happen for any of a dozen reasons) you will need to take notice and migrate to another solution before you lose all ability to support the now-defunct software.