Do you use MD5 or SHA1 to store passwords? Think they are secure? Think again.

While generic hashing algorithms are certainly better than storing passwords in plain text, it’s still not as secure as it should be. Users place great trust in us to ensure that their credentials will be secure and treated with the utmost respect; it’s our responsibility to live up to these expectations.

With the simplicity and speed of these general purpose algorithms, it’s possible to generate hashes looking for collisions (or even the original value) extremely quickly. It’s this speed that introduces the fatal flaw; with a database dump containing MD5 hashed passwords, with a fairly small investment most could be recovered within a very small amount of time (mere days for a large database).

Many people are moving to bcrypt as a solution. In Coda Hale’s “How To Safely Store A Password” he covers this topic in more detail, complete with useful stats and links to implementations in languages from C# to Ruby (even Erlang is represented).

If you are looking for ways to better protect your user’s data, take a closer look at your password storage.

When you move on to your next challenge how will those that inherit your code think of you? Noble or notorious, innovator or insane? This is a question that all developers should ask themselves frequently; though too few ever do. You should always write with the assumption that someday a new developer will take over your code, and they will question every decision and assumption you’ve made. When this happens, what will they think of you?

Perhaps I’m more aware of this because I maintain an internally developed shared library that my company uses in every application; but regardless of the scope of the project you should always assume that someday you will hand the project off. Many developers think little about what happens to their code after it passes on to another; what other developers will have to deal with, or how their efforts will be perceived.

When I’m training a new developer there are a few points I try to reinforce as much as possible:

1. Code is only good if other developers can work on it without extensive training. If it takes days or weeks of introduction to get a new developer up to speed, then you’ve done something wrong¹.
2. Clever solutions are no better than an ugly hack if it’s not clear what you are doing. If the code isn’t clear then it’s not maintainable, if it’s not maintainable then it’s junk.
3. Assume you’ll be hit by a bus. Always write code with the assumption that you won’t have the opportunity to cleanly pass the code off to a new maintainer. Never assume that you’ll have time to come back and clean things up later.
4. Always perform design reviews, no matter the size of the project². Once you have a design in mind, talk it through with a at least two other developers. Just because you think it’s clean and clear doesn’t mean that others will see it that way as well.
5. Be consistent, always. I’ve seen more projects ruined by people doing things “their way” than anything else. Match style and design when working on an existing project. Be careful when adding new techniques, technologies, or methodologies to an existing project; unless you are willing to update the entire code-base, you can easily create a minefield without realizing it.

If you want your work to be seen positively after you move on, start thinking about your heirs today. The opinion they have of you will be almost entirely based on what they see in your code – not the stories or memories left behind.

¹ – There are always exceptions; these are generalized guidelines, not hard and fast rules.
² – This includes “throw away” projects, many projects that are intended to have a short life end up living far longer than intended. This is the most likely place that your heirs will find code that makes them question the quality of your work.

I’ve been a fan of bbPress for quite some time; I’ve even contributed code to the project. For those that aren’t familiar with it, bbPress is an open-source forum system written in PHP. It’s fast, lightweight, easy to install and even easier to use. It also scales, quite well.

bbPress was originally written to power the support forums WordPress.org, which get quite a bit of traffic. Later, it was released as a separate project. While it doesn’t have nearly the feature set found in more popular systems such as vBulletin or phpBB; it makes up for it in simplicity. It’s designed to be conversation-centered, where the clear focus is on what people are saying, not the bells and whistles provided by the software.

I’ve used it for a couple sites and couldn’t be more pleased; though now I fear the end may be near.

Automattic, the company behind Wordpress.com (and ListPress.com) has committed to supporting the project; though primarily in context to its role in the WordPress world. bbPress as a separate product has so much potential, though it seems Automattic has little interest in this; instead the interest seems to be in making bbPress just another add-on for WordPress.

At one point there was a lot of excitement and interest surrounding bbPress, though for a project like this to succeed you need input from the community, you need an open and fast paced development process. Unfortunately for bbPress, it had no such process. There were people who had the skill, time, and interest to lead the project and make it a success; but they were pushed away and the project was allowed to stagnate.

Today, there is some activity going on, and I’m glad to see that it won’t fade away completely; though I see little chance that it will live up to what it could have been. I have a lot of respect for Matt and Automattic; they’re very successful and build great products; but they could have done so much more.

bbPress will go on I’m sure; though I believe only as a shadow of what it could have been. Though maybe Matt will prove me wrong, I certainly hope so.

Good developers need good tools, it’s simple as that. If you are building software for Windows, the only real option is Visual Studio. The down side to Visual Studio? The $1,200 starting price tag. While Microsoft is now providing the free Express editions, these are aimed more at hobbyists, not serious developers.

Microsoft thankfully is here to help: If your company is less than three years old and has less than $1 million in annual revenue, they have a program to give you all that you need. BizSpark provides the key tools and technologies to get your start-up moving without impacting your budget.

The BizSpark program provides Visual Studio Team Suite + MSDN Premium for your developers (up to 25),  plus production licenses for software like Windows 2008 Server and SQL Server 2008. Unlike Microsoft’s other start-up helper Empower, there are no requirements that you use certain technologies or pursue any certifications.

While Empower does provide licenses for things such as Office for employee use which BizSpark does not, BizSpark more than makes up for it in the production server licensing.

For a start-up with little funding (normally what the founders happen to have in the bank), building for the Linux platform using MySQL and Ruby on Rails can be very tempting. Now with BizSpark the money takes a back seat (at least for the first three years), and the technologies can compete on a level playing field.

I’ve been a fan of Tasks for quite some time, though as time goes on and updates don’t come out, it seems less and less attractive. As most web-based services have fully embraced Web 2.o with all its AJAXy goodness, Tasks remains firmly entrenched in Web 1.0; and I’ve finally given up.

We are in a world where instant is no longer a nice-to-have, but an absolute must. Applications and services should; no, must provide immediate feedback and minimize full page loads whenever possible. Tasks has failed on this front.

Enter Remember The Milk, a simple yet highly customizable task management system. While some things are rather different from Tasks (such as having multiple task lists, and not having nested tasks) for the most part it does everything that Tasks does – only it’s free (or $25/year for a Pro account). With a low price, simple easy to use interface, and plenty of AJAX to keep things moving – it’s a real winner.

When I started using RTM the biggest issue I had was the lack of nested tasks that I had become so accustomed to in Tasks. The more I use RTM though, I’m finding that not burying tasks inside of other tasks is actually helping me to get more done, as less is being lost and forgotten about. While seeing all of the tasks laid out in front of me does seem a bit overwhelming at times, I am getting more done.

Overall, RTM helps me get thing done, while wasting as little time as possible managing tasks. Highly recommended.

I normally don’t write posts just to point out an article by another author, but the latest by Jeff Atwood is a must read:

Hardware is Cheap, Programmers are Expensive

I point this out because this is something I’ve been fighting recently. It’s easier for management to tell the development team to fix a performance issue than to request money for the new hardware that’s needed.

In the long run it would be much cheaper to just throw more hardware at it – though that requires higher level approval. Whereas assigning a couple developers doesn’t require going nearly as high.