Tue, 13 Apr 2010

You're doing it wrong!

It's been far too long since I've really complained about something.

${Work} has decreed that passwords must be changed regularly and today it was my turn. Fine, despite the usual silliness in reducing the key space (by enforcing certain sets of characters to be present) and a ridiculous maximum length of 8 characters, I can deal with that. pwsafe generates and remembers the password for me. After a while I even manage to remember it myself.

Clearly that's not a good rant. This, however, is worth complaining about:

How _not_ to do web development

That's the brand shiny new piece of *(*^#%*@% password change tool I'm supposed to use to change my password. The first thing it does is demand four security questions. Yes, that's right, someone's been stupid enough to think they do anything other than reduce security.
I did the obvious thing:
  dd if=/dev/urandom bs=1k count=10 | md5sum
Just divide the result in four more or less equal parts and there's the answers to the insecurity questions. Simple, except it rewards me with the above session timeout.
Note that 'back' and 'forward' should not be used, in defiance of 20 years of precedent. Also note that if you're a slow reader you'll just get the login page again.
After all, it's not nice to show error messages to the users. It upsets them so it's best to hide them as soon as possible.

posted at: 21:19 | path: / | [ 2 comments ]