Comments for Less Post More GET

Comment on Line count and maintenance cost by Thoughts on Pair Programming « Less Post More GET

Thoughts on Pair Programming « Less Post More GET — Tue, 22 Jun 2010 19:55:46 +0000

[...] that pair programming tends to keep developers near the minimum of the cost curve (written about in Line Count and Maintenance Cost) instead of the arcane and wordy areas of the [...]

Comment on 25 Thoughts on Agile Development by Markus Waletzko

Markus Waletzko — Wed, 26 May 2010 15:44:18 +0000

Web video at its best! Do you have any advice for someone just out of university

Comment on Login forms are broken in ruby on rails by wiscoDude

wiscoDude — Sat, 27 Feb 2010 16:44:28 +0000

Hey Craig, thanks for the comments.

All systems for logging in that I know of do not enforce uniqueness among passwords. It would be a strange constraint on a user’s password and I think there are enough of those already. (passwords gone wild)

So, you could never reliably look up a user by the password entered. The only choice is to first look up by the unique token (email address, user name, whatever) and then make sure the password entered matches the password stored. (I’m simplifying, we shouldn’t store the original password.)

With this said, your example doesn’t actually cause a problem. “def” could be the password for multiple people and it is simply ignored because we can make no claims with the paucity of information it contains.

On the other hand, because user names are forced to be unique, we can very well assume that if a person enters John123, they intended to sign in to that account.

It still comes down to an incomplete or misguided notion of security by the developers of the common rails authentication gems.

Comment on Login forms are broken in ruby on rails by Craig

Craig — Fri, 26 Feb 2010 21:49:06 +0000

The reason for the ambiguous error message may not be just security. Consider two users: John123 (password: “abc”) and John124 (password: “def”). If I enter John123 and “def”, how do I know which is wrong. It is a valid password for somebody, and it is a valid username for somebody else. All I know is that the two do not match, so I tell them that one of them is wrong. It is not about security at all, it is about my inability to distinguish which field is wrong.

Comment on No-Reply Emails? Why would you ignore your customer? by Regina

Regina — Fri, 26 Feb 2010 15:38:58 +0000

OMG, I have been searching for this information. Technology always gets the best of me when I need it most.

Comment on 25 Thoughts on Agile Development by Mark McEahern

Mark McEahern — Sat, 13 Feb 2010 02:38:14 +0000

The ability to prioritize is often missing. A way to measure this is the degree to which people feel comfortable with a list of deferred features. I always felt a sense of accomplishment when I could say we were done with something without hiding the fact that there were features that weren’t done.

You can argue about whether any given non-implemented or not completely implemented feature is important. But stack it up against releasing the features that *are* implemented. Does the cost of its absence or the benefit of its presence outweigh the cost of not delivering what’s already done?

Talking about requirements often leaves unchallenged the notion that there is some System that is the full and complete set of requirements. Feature talk is all about a world of infinite variety and choice.

Comment on + (plus) don’t get no respect by wiscoDude

wiscoDude — Wed, 07 Oct 2009 12:16:47 +0000

Thanks Veez. Getting comments motivates me to finish some posts on my list. I’ll bang out a post this weekend.

Comment on + (plus) don’t get no respect by Veezus Kreist

Veezus Kreist — Tue, 06 Oct 2009 23:47:53 +0000

I use plus notation all the time, and I agree with everything in your post. However, that Tombstone reference is so awesome that I felt compelled to leave a comment. Nicely done!

Comment on Login forms are broken in ruby on rails by wiscoDude

wiscoDude — Fri, 04 Sep 2009 19:58:23 +0000

Great point Jon.

We’re definitely closer now than we were a year ago. There are getting to be more systems that people are signed into all the time. Outsourcing authentication to those other sites where people are almost always signed in, to automate authentication for your site – where your users are probably almost never signed in – is the way to go.

With the latest funding for JanRain, we’ll probably see many improvements in the coming year.

But for now, as a site owner, I get a bit nervous about my user’s understanding that process. Looking forward to when this is no longer an issue.

Comment on Login forms are broken in ruby on rails by Jon Larkowski

Jon Larkowski — Fri, 04 Sep 2009 03:41:54 +0000

Totally agree! In most contexts anyways…

However, there’s an even deeper rant that I have… Just use OpenID! Let another service worry about authentication issues. That shouldn’t be your app’s concern. Slap on something like https://rpxnow.com/ and be done with it.

This is wishful thinking, though. It’s the thinking of a programmer who’d rather outsource this nonsense and get to the real meat of the app.

I’m aware that you’ll probably just lose a ton of customers who can’t figure out OpenID. But it’s my dream of convenience that one day, every web app I sign in to is just OpenID.