Yearly Archives: 2012

a note about passwords

Passwords bug me. Specifically, password management on most websites is maddening. Here are a few things to keep in mind when designing yours:

List your password-format rules up front. All too often, sites ask for a password with no indication of their format rules, then scream “ERROR!” when you don’t guess correctly. Yell at your users less by telling them what you want first.

Don’t limit the size of a password unless you absolutely have to. Honestly, it’s 2012. Databases can store unlimited-length strings, and the security of a password is improved by length. If your user wants to use the Gettysburg Address as a password, let them go for it.

Ditto for the content. If the user wants ancient Greek poetry for their password, then don’t freak out about the character set or complain that it doesn’t contain any numbers. Honestly, I once had a health-care provider prevent me from using spaces and punctuation in a password. “Alphanumeric characters only”. Way to be secure, guys.

Don’t limit the password format at all unless a compromised account will damage your service as a whole. No minimum length, no “special characters” requirement, no “at least one number”. I know, this is a tough one to swallow. Take an honest look at the worst a malicious user could do; if the only harmful effects are to the user choosing the password, then let them choose whatever they want.

Rate the strength of a password as the user types, and give hints on how to improve it. If you do this, though, get it right. It’s annoying to type in “correct horse battery staple” and have some out-of-date algorithm tell me it’s “Weak“. It’s worse if the system rejects it outright, but even the knowledge that your algorithm sucks makes me doubt the overall security of your system.

Check that your login fields are friendly to automatic login. I’m more likely to choose a unique password for a site when I can hand off the job of remembering it to my browser or keychain. Each time I have to click “forgot password”, though, my choice is going to be easier to remember (and probably less secure).

watching space stations dance

If you’re in Southern California on January 5th, you might get a chance to see two space stations in the sky at the same time. (Pretty cool, right?)

If it’s clear enough, and if I’ve read the magnitudes and times and directions correctly on Heavens Above, here’s what I’ll be doing that night:

  1. At 5:00pm I’ll go outside and stand in a nice dark spot. (I live in the middle of San Diego, so that takes a few minutes to find.)
  2. At 5:05 I’ll look to the northwest for a bright object moving toward the northeast. If it’s moving slowly and not blinking, it’s the International Space Station. Population: 6. I’ll wave to Daniel, Anton, Anatoli, Oleg, Donald, and AndrĂ©.
  3. At 5:07, when the ISS is as far up as it’ll get in the northeastern sky, I’ll look to the southwest for a dimmer object moving toward the northeast. If it’s moving slowly and not blinking, it’s Tiangong 1, the first part of China’s space station. Population: 0 so far.
  4. Until about 5:10, when Tiangong 1 is right overhead and ISS drops below the eastern horizon, I’ll watch the two of them share the sky.

Thanks to Allan Manangan for passing along the news from David Dickinson on Twitter.