Honeypot.net

A standard for describing a site’s password rules

There’s not a universal standard for what a valid password on a website must look like. Some sites allow you to use any four letters. Others require at least twenty characters, including at least one numeric digit and one “special character” (aka punctuation). Even when using a password manager, the process of creating a good one looks a lot like:

Turn the password manager’s strength settings all the way up and generate a password.
The website replies “passwords can’t be more than 20 characters long”.
Adjust the length down to twenty. Generate a new one and send it to the website.
The website replies “passwords may only contain the special characters ‘$_!#’.
Adjust the number of symbols down to zero. Generate. Try again.
The website replies “passwords must contain at least two special characters”.
Turn the number of symbols back up to two. Click “generate” until you a password that contains punctuation from “$”, “_”, “!”, and “#”, but nothing else. Generate. Try again.
…and repeat until you’ve appeased the website’s rules.

I propose instead that websites should document their password rules in a standardized, machine-readable manner. For instance, suppose that each site hosted a file in a pre-defined location, like /.well-known/password-rules.yaml, in a format such as:

max_length: 64
min_length: 8
allowed_symbols: "$#@!"
min_symbols: 1
min_upper: 1
min_lower: 1
min_digits: 1
matches: "^[a-z]+(.*)+$"

Then tools like 1Password could look for that file and tune their settings to suit. The new process for creating a password would look like:

Tell 1Password to generate a password for the site you’re currently looking at.
It fetches the rules file, interprets it, creates a password that satisfies all the requirements, and pastes it in the password field on the site.

Further suppose that the standard defined the calling conventions of a REST endpoint for changing passwords, and the rules file included that URL like:

change_url: /ajax/change_my_password

Wouldn’t it be just lovely if 1Password could automatically update every such website on a monthly basis, or whenever a site announces a security breach?

Ringing the bird

I was on an early morning walk and came across a guy staring at the telephone wires. As I approached, I caught the distinct aroma of marijuana. I turned to see what he might be looking at, and he held a finger to his lips to quiet me. He whispered, “there’s a mockingbird up there. If you listen, he’ll ring like a bell.” Sure, buddy.

So we stood there in silence, and then the little bird opened his mouth and sang chimes to us. He rang like a bell.

The stranger and I looked at each other, then smiled and laughed as we went our separate ways. That was a nice way to start a day.

Heavy traffic is not a DDoS

Ajit Pai claimed that when the FCC asked citizens to comment on Net Neutrality, their website was attacked with a distributed denial of service, or DDoS. I’ve heard many of his defenders claim that an overwhelming number of people trying to use the website to comment was in fact a DDoS. This is a lie.

It was not a kind of DDoS. Words mean things, and “DDoS” specifically means a coordinated attack. What the FCC experienced is what we call “heavy traffic”. A car analogy:

“Heavy traffic” is rush hour on the freeway.
“DDoS” is a mass protest with people physically blocking lanes on the road.

Even though the end result might be everything moving slower than desired, if you’re stuck in traffic but you tell your boss that you’re late to work because a protest blocked the street, you’re exactly as much a liar as Ajit Pai was when he perjured himself to Congress.

Happy birthday to me!

I registered Honeypot.net on July 2, 1998, so today is its twentieth birthday. We’ve had fun, little domain. Here’s to twenty more!

“At a Crucial Juncture, Trump’s Legal Defense Is Largely a One-Man Operation”

At a Crucial Juncture, Trump’s Legal Defense Is Largely a One-Man Operation – The New York Times

Highlights:

Joseph diGenova, a longtime Washington lawyer who has pushed theories on Fox News that the F.B.I. made up evidence against Mr. Trump, left the team on Sunday. He had been hired last Monday, three days before the head of the president’s personal legal team, John Dowd, quit after determining that the president was not listening to his advice.”

Also:

“Mr. Dowd had concluded that there was no upside and that the president, who often does not tell the truth, could increase his legal exposure if his answers were not accurate.”

Jokes about “the best people” aside, it sounds like genuinely competent people want nothing to do with the fiasco in DC.

How many minutes of Internet are you paying for each month?

If you pay for a 100Mbps cable connection to the Internet and your plan sets a 300GB data cap, you can use your connection at full speed for 8.3 hours per month before hitting overuse charges.

If your cell phone plan supports 50Mbps LTE speeds and has a 10GB data cap, you’re only allowed to use it at full speed for 33 minutes per month.

I think it’s deceptive for an ISP to advertise an Internet connection’s speeds without disclosing how much you can actually use it without being disconnected or racking up extra fees. I’ve written to my senators asking them to introduce legislation to protect customers from this misleading and predatory practice:

I believe that all Internet service providers should be required to disclose, as part of their advertising, how many minutes you may use their service at full speed without hitting data caps.

For instance, a cable company advertising “100 megabits!” but imposing a 300GB data cap only allows their users to download information for about 8 hours per month. A cell phone company that advertises fast 50 megabit LTE speed but has a 10GB data limit only gives their customers about 33 minutes per month of full speed usage.

I believe that simultaneously advertising fast Internet connections while only allowing customers to use it for a short amount of time each month is highly deceptive and should be illegal. Please introduce truth in advertising legislation requiring ISPs to disclose what portion of time customers on a typical plan would be allowed to use an Internet service being advertised.

I don’t reasonably expect anything to come of this, but I’m going to try anyway.

Airlines Restrict ‘Smart Luggage’ Over Fire Hazards Posed By Batteries

Airlines Restrict ‘Smart Luggage’ Over Fire Hazards Posed By Batteries : The Two-Way : NPR:

“Beginning Jan. 15, customers who travel with a smart bag must be able to remove the battery in case the bag has to be checked at any point in the customer’s journey. If the battery cannot be removed, the bag will not be allowed,” American said in a statement on Friday. The same day, Delta and Alaska announced similar policies on their flights.

American’s policy dictates that if the bag is carry-on size, passengers can take the luggage onboard, so long as the battery can be removed if needed. If passengers need to check the bag, the battery must be removed and carried onboard. But if the bag has a nonremovable battery, it can’t be checked or carried on.

An FAA spokesman told The Washington Post that the airlines’ policies are “consistent with our guidance that lithium-ion batteries should not be carried in the cargo hold.”

Last month I wrote: “Listening to an ad for luggage with a built in USB charger, which may be the worst idea ever. Now your suitcase can grow obsolete. What if it breaks? Or a bigger battery comes along? And you always have the weight penalty even when you don’t need it.” I think we can all agree now that this is a terrible idea for many reasons.

App subscriptions must offer value

Software authors are increasingly switching to subscription models to make their work “sustainable”. Too often they’re forgetting to make a value proposition that helps their customers. Here’s a hint: if you have to write a Medium post explaining why I should support your new business model, you’re doing it wrong.

Continue reading “App subscriptions must offer value”

Introducing metric quantity units for computing

In computing, metric-sounding prefixes almost universally refer to sizes expressed as powers of two:

kilo = 2^10 = 1024
mega = 2^20 = 1,048,576
giga = 2^30 = 1,073,741,824
…and so on.

In 1998, the IEC incorrectly voted to change that, and it’s time to fix this mistake.

Continue reading “Introducing metric quantity units for computing”

Traveling with OmniFocus and OmniOutliner

I don’t travel a lot, so when I do I invariably find that I’ve forgotten something important (9 PM the night before: “say, dear, where are we boarding the dogs?” “I thought you were doing that!”). I wrote an AppleScript to copy items from an OmniOutliner document to an OmniFocus project so that I never have to forget again.

Continue reading “Traveling with OmniFocus and OmniOutliner”