It's a Doozy!
http://whencanireusethiscalendar.com/
Now you can go digging through that chest of crap from the 1990s and pull out your favorite cute puppies calendar. In 2010, you can re-use calendars from 1999, 1993, 1982, 1971, 1965, 1954, 1943, and 1937.
Thanks to Apple shipping everyone’s iPhone to be delivered last Friday, my package tracking website Boxoh.com saw double the number of absolute hits and six times the number of Adsense impressions. That’s a lot of iPhone recipients mashing F5 all day long.
Let’s hope more of them turn into return visitors. I do have several features in the works to help make the site more compelling for regular users and one-timers alike.
As a follow-up to my last post, here are a few tips to help keep you from driving your site users away with misguided password restrictions.
Your tweets may be precious to you, but as a web developer, you should understand the differences between password security for Twitter and for online banking. Consider the monetary and legal damages that to both you and your customers if their account were compromised and plan accordingly.
Since you are properly protecting passwords by only storing a hash, there is no reason to limit characters they use in their passwords. Don’t tell your users they can’t use symbols or start their password with a space if that’s what they want to do. In the end, all you’ll be storing is an alphanumeric hash of the password anyway, so it shouldn’t matter if they send you a bunch of binary gook.
Set reasonable requirements for password rotation. If yours is a high-security system, it is reasonable to require password rotation every few months. In order to prevent abuse, it is even reasonable to check for duplicates against the last N password hashes or all of the hashes used the last few months. Before implementing any password rotation scheme, be sure you’ve visited and revisited #1 above.
Despite the practices of some sites, there is rarely if ever a good reason to keep an unlimited log of every password a person has used, never letting them be reused.
Let’s assume someone really wants into one of your user’s accounts. If they had the capabilities of attempting a blistering 1,000 different passwords per second, here’s how long it would take to try every possible combination:
| Min length | a-z | a-z, A-Z | a-z, A-Z, 0-9 | a-z, A-Z, 0-9, Symbols |
|---|---|---|---|---|
| 6 | 3 days | 225 days | 2 years | 22 years |
| 7 | 90 days | 32 years | 110 years | 2,035 years |
| 8 | 6 years | 1,663 years | 6,814 years | 191,258 years |
| 9 | 166 years | 86 millennia | 422 millennia | 17,978 millennia |
The exponential growth of possible combinations makes password cracking infeasible pretty quickly. Assuming 1,000 attempts per second is ludicrous against a webserver, but assuming your database isn’t compromised, this should be the only means an attacker can brute force an account. The time to compute reaches absolute absurdity after just 8 lowercase characters.
As in character taboos, what do you care if your users have 100 character long passwords? It is reasonable to put a ceiling on password lengths to prevent blatant abuse (perhaps in the neighborhood of 500-1,000 chars), but don’t limit your users to a 12 character password because that’s all your schema can hold.
Remember that you should be hashing passwords and that most hashes produce a fixed-length output no matter the input.
Just a quick note to any developer, site owner, or project manager who is in charge of developing a user login system:
Don’t put unreasonable restrictions on usernames.
It is sensible to prevent people from creating names containing certain characters or names of extreme length. However, some sites go too far by requiring all user names be 7-12 characters in length. Other sites forbid user names that begin with numbers.
A more reasonable approach would be to allow user names from 3 to 16 characters, with a limited set of punctuation allowed, and the first letter cannot be whitespace.
Remember that user names are generally public information so you don’t need to apply the same protections you do to ensure strong passwords. Do the right thing and your users will thank you by not abandoning your account creation form.
Google Voice is a very interesting service. If you were one of the people (like myself) that got an account on GrandCentral.com before they were bought out by Google, you are now eligible to be part of the Google Voice beta.
It offers a lot of interesting services such as visual voicemail, speech to text, VOIP, free long distance, and many others. However, in order use most of these, you need to use the phone number Google assigns you. Google can’t be your voicemail provider unless all of your calls are routed through them first.
So are you going to hide your current cell phone number and tell all of your friends and family to call your GV number instead? Unlikely.
I believe it is much more likely that Google is actually moving to become a telephone service provider themselves. That way, you just transfer your phone number to Google and they give you all of the great features of GV along with it. However, in order to participate in LNP (the FCC program that enables users to transfer phone numbers between providers), they must become a wireless carrier.
I know it sounds unbelievable. I am somewhat skeptical myself. It seems like quite a stretch for them to actually get into voice service. After all, couldn’t Google just partner closely with the existing providers and integrate their GV directly into your existing plan? Unfortunately, cellular service providers would probably never play ball with Google this way. GV bundles free long distance VOIP, SMS, and (quite possibly) unlimited airtime.
Many people were skeptical when a search engine company was rumored to be branching into email. There was even more surprise as the rumors of a Google phone came true. Now that they have their own cell phone OS and a fantastic web integration platform, it is not inconceivable that they will take the next step and start leasing tower space.
Google is out to eat the telco’s lunch.
Google Voice is the long awaited re-release of Grand Central, an online voice communications service. Based on their beta, Google Voice will essentially be a Gmail for voicemails with call forwarding, filtering, SMS, VOIP, and speech to text.
They appear to be assigning Montana area code (406) phone numbers to folks who call or SMS a Google Voice user. I can only assume that the generated number will be your default Google Voice number if you eventually sign up.
If you would like to know your default Google Voice number, send an SMS to 206.855.5330. I’ll reply back to you with your number. Once established, you can start receiving calls at that number that are forwarded to your phone.
Disclaimer: I don’t know if the numbers are permanent, but they appear to keep working after at least two weeks.
Thanks to the site Feed43.com, I was able to quickly and easily generate an RSS feed to the PHP5 Changelog, a very large page that doesn’t already have a feed.
Check out the PHP 5 Changelog Feed.
Feed43 beats Yahoo’s Tubes service because if a page is too large, it simply truncates it to a usable length. Tubes will simply fail to process a page that it deems is too big.
A co-worker just pointed out a wonderful new tool for those who are frequently bothered by people who would rather ask you question instead of Googling it themselves:
Aside from being snarky and satisfying, it immediately struck me as a brilliant money maker. Perhaps even the best Google AdSense for Search referral generating tool since Mozilla put the Google search bar in every broswer it ships (Mozilla pulled down 75 million USD last year from your searches).
So, next time your cousin wants to know all about mesothelioma, send your response by way of LMGTFY and know that those guys are probably making a good chunk of the $40-$60 CPC the keyword “mesothelioma” commands.
Of course, I am in no way affiliated with LMGTFY. If they aren’t using their site as a Google search revenue generator, they’re missing out.
Update:
I’ve delved into their code and it would seem that they aren’t currently monetizing their searches. Perhaps it is better this way because it might break Google TOS to have their current gag auto-submit the search on behalf of the user.
Still, if you arrived on this page after searching for mesothelioma, I have my own ads that I use to help cover the cost of this and all my other sites. Just sayin’…
Update 2:
Good for them! The site is now sponsored by 37 Signals and they are bouncing traffic through Google AdSense for Search. Unfortunately, the referral version of the search results does not have the pretty look that traditional search results do. However, this does not degrade from the original thrust of the site which is to teach people that they, too, can use the Google.
There was once a time when having a Gmail account made you part of an exclusive, trendy club among some subcultures. Having Gmail invites at that time made you even more popular. During those days, I ran a Gmail invite spooler that distributed over 1.2 million invites, making it the most popular Gmail invite service. Two years after pulling the plug, it is still the 4th most popular non-Google Inc. search result for the word Gmail.
Over the past few months, I’ve been asked several times to set up a similar service for Joost. After much procrastination, I’m now dusting off the invite spooler service, giving it a new face, and adapting it for Joost and other invite services.
This is where I need your help. I’ll need at least one invite in order to test the updated tool. If you have a joost account and have invites to share, please send an email to joostinvite@isnoop.net.
Congratulations to Redfin on their big 4.0 release yesterday. They have updated their look, added a new logo, made the maps expand with your screen size, and added several other new features that housing shoppers will enjoy.
Best of all, they spent plenty of time in QA to make sure there were no big bugs or undue downtime in the transition.
Now, if only their backend was in PHP instead of Java.