Development

A rant about passwords

Posted by

0

Okay.  Having just attempted to change my password on a site which shall remain nameless, and having my desired password be rejected, I confess that I’m upset.  My grandmother told me never to write angry, but I’m going to ignore that advice for a moment.

Why is it that some website designers, in their supposed infinite wisdom, decree that they know better than their users what can comprise an acceptable password?  It’s my password, it’s my account, it’s my information: let me secure it how I want.  It’s bad enough when you get a message that your password is not secure enough to meet the lofty requirements of the site:

“Your password is too easy for you to remember, please add more punctuation and numbers and capital letters, and don’t use any words out of the dictionary.  Here’s a suggestion for your password: @#$S59u01Cxx7*(6. Perfect! We’ll just set that for you, rather than the password that you chose.”

Do these masters of security not realize that the first thing that happens when you force someone to use a completely incomprehensible, completely non-intuitive password like that is that the user WRITES THE PASSWORD DOWN???!! How on earth is this secure?  Indeed, I submit that these types of passwords are actually less secure, because they are not easy for the person to remember, and therefore leave records for someone else to discover.

Worse, though, from my perspective are those designers that decree from their lofty perches that your chosen password can’t be used because those same designers have decided that their users’ passwords must be constructed from a very limited set of allowable characters:

“I’m sorry, but your secure password is not acceptable because you must make your password out of only lower-case letters and numbers.  Here’s a good password for you: pa55w0rd

No one will ever, ever, ever guess that one, we promise!”

Dammit, get over yourselves.  Just let me use the password that I want to use, please, and let’s both move on about our business.

By the way: when I encountered the first type of message this morning, the password that I had wanted to use was this: ‘I like gibberish.’ That’s right: it was a passphrase, rather than a password: easy and intuitive for me to remember, but very difficult for someone to guess, and also difficult to crack.  Brute-force tactics against that password would statistically take many more years to break it than either I or the designer of the site would likely be alive, but it was decreed to be unsuitable because it contained no numbers.

When I encountered the second type of message this morning, the password that I had wanted to use was this: ‘Twas brillig, and the Hobbits did roam.’ Which was rejected because passwords for that particular site had to be eight characters or less and comprised of only A-Z, a-z or 0-9.

So, putting on my professional’s hat for a moment, to give a small piece of advice to website designers:

  1. Let your user choose whatever password they want.
  2. It doesn’t matter to you what characters are in it, or how long it is, because you shouldn’t store that actual password at all.
  3. You should store an irreversible hash of the password, instead, which, when done correctly will:
    1. produce a value of a known and constant length.
    2. not reveal your user’s actual password in the event of your database being compromised by an attacker.
  4. All pages involved in either creating the password or logging in with the password should be on pages protected by SSL.
  5. You should then compare the hash of what the user submits to you to the hash you’ve stored in the database.

Okay, rant finished.

 

Microsoft releases Visual Studio 2005 Beta 3 and calls it RTM

Posted by

0

Update: I got a comment (see below) from Kevin Morrill at Microsoft who kindly informed me that a hotfix for this is in the works and coming. (Thank you, Kevin).

I really like .NET. I love C#. There are parts of Visual Studio that I really, really like. It is a great productivity tool, and developing for the Microsoft platform without it is painful at best.

However, there are parts of it that I really don’t like. The one that keeps sticking its head up is the fact that it’s unstable as all hell. For the past 5 years, each version which has come out has been less stable than the version before it for me. This culminates in Visual Studio 2005, which has just been released in its final version to MSDN subscribers.

You can reduce this version to a quivering mass of protoplasm stuck in an endless loop within 30 seconds. Reliably and reproducibly.

Try this:

Create a new C# console application.

In the Program.cs file, put two new classes into the namespace as follows:

class Something<T>
{
}

class Derived : Something<Derived>
{
}

Nothing up our sleeves here, right? We’re just saying that Something is a parameterized generic class, and that Derived inherits from it and refines the type parameter a bit.

So far, so good. Now for the sticky bit.

Go back into Something<T> and start defining a new property inside of the squiggly brackets. Something like this:

class Something<T>
{
    public bool IsOutToLunch
    {
}

See that squiggly bracket after IsOutToLunch? I’m willing to bet that if you were typing along, that’s exactly the point where your copy of Visual Studio simply stopped and is now completely unresponsive. Why? Because there’s a bug in the C# editor which just encountered an endless loop walking the object graph. It’s now hopelessly stuck trying to figure out the Derived is Something of Derived is Something of Derived…. relationship, and has sent Visual Studio off to La-la Land for a bit of a rest.

OK, so the code that we entered is probably questionable. It’s valid, though, to the best of my knowledge. Even if it weren’t, should it really lock up the editor? Because guess what? If you’ve done anything else and haven’t saved it when you type that squiggly of death, you just lost it. Hmm… That really inspires some confidence in me. How about you?

So now I’m paranoid. I have no idea when I’m going to suddenly type the wrong character at the wrong time. I save my work every 30 seconds. Type a character, save the file, type a character, save the file. Okay, so not really that bad, but you get the point; I feel like I can’t depend on the stability of the development environment. This leads me to question all sorts of other things that I really don’t have the time or desire to be questioning.

It pisses me off. Especially since the beta-testing community for Visual Studio was clamoring for another beta of this version, and were rebuffed by Microsoft because they had to make a certain date. Bad move, IMHO.

Oh, by the way, Microsoft’s official response to reports of this problem? "We’ll fix that in the next version." Uh, isn’t that in 2007? W. T. F?

Come on, JetBrains, where’s your .NET IDE? If you had it out right now, you’d have a sale. I’d switch over today and probably never look back.

BTW: I’m not the first to discover this. Frans Bouma has a rant about it, and so do several others out there.