The Iron Yuppie

Let me give a thumb up (note, not thumbs) to Roboform. I can't believe I haven't used this before. Actually, I think I have used it before, I think it was just 10 years ago and it was miserable. Well, it's no longer miserable, but it could use a LOT of UI and UX help. It is great for not having to remember which permutation of my username or password I used on which site. Amazing how many differences there are, despite the fact that I try and use the same one every where. Yes, I know this is a huge security risk, but here's how I mitigate that (somewhat). Sites I don't care anything about my account being compromised = one user and pass. Sites that are financial related (there are probably a total of 10 of these) = another user and pass. Sites that are site admin related = a third user and pass. It's not perfect, but it works. But now that Roboform can remember all this shit for me, I'll use it, plus the randomly generated password function. The biggest problem is going to any other machine - there should be a way to go to Roboform first, and then browse to another site through them so that Roboform can manage your login ... though this offers up a sweet vector for attack as well.

Let me take a step aside for two seconds and comment on something else. It is RIDICULOUS that there isn't a magic cloud out there (from MS most likely) that stores EVERY bit of custom data that I do to a machine. When I got to a new machine, there should be virtually no time for me to sit down and have everything that was on the old machine now on the new machine. Programs, settings, font color, etc. The transfer cable is a nice idea, but it's one time only, which makes it meaningless. I have a home computer, a laptop and a desktop at work... I HATE the number of times I've had to re-install, re-set the same setting over and over again. For all of you that say, no, this is actually very hard... it's very hard because YOU the application developer, throw your shit all over the OS in shared libraries and what not. The registry is worthless... store your own config in your own directory, your own copies of shared libraries (if they're not installed), your own EVERYTHING and you make everything easier.

Continuing on the subject of website security, I totally agree with this blogger: Captchas are lame. First, whatever site you're working on/with ... you almost definitely do not need a captcha. How about having a problem first with spammers using your site as a through put and then implementing the solution. When I see it on some no name blog, it just makes me think you're just high on yourself. That's not to say you shouldn't use verification or logins to access your mailing function, just that you shouldn't be so full of yourself. Second, there are probably a bajillion other vectors of attack in your website, how about looking at some of those. I guarantee you have at least 1 sql injection, weak password/infrastructure, XSS or other much more serious attack to deal with than comment / user account spam. Third, there are a million other tools out there, stop pushing the pain onto me to use your site. You should be making it ridiculously easy for users to comment, not making them question whether or not it's worth it.

There was a creation the other day that almost made me question the above: The ReCaptcha Project. It's beautiful sideways thinking! In essence, they take printed text which machines can't read, scan it in and present it to users for translation. This translation goes back into the original project and helps to digitize the book. Like mechanical turk (one of the best names for a website ever, based on the ), except all three parties (the site looking to avoid spam, the digitizer looking for the translation and the user who wants both a spam free site and (theoretically) wants a world full of more knowledge) benefit.

posted by Iron Yuppie  # 10/19/2007 12:43:00 PM