Do you use MD5 or SHA1 to store passwords? Think they are secure? Think again.

While generic hashing algorithms are certainly better than storing passwords in plain text, it’s still not as secure as it should be. Users place great trust in us to ensure that their credentials will be secure and treated with the utmost respect; it’s our responsibility to live up to these expectations.

With the simplicity and speed of these general purpose algorithms, it’s possible to generate hashes looking for collisions (or even the original value) extremely quickly. It’s this speed that introduces the fatal flaw; with a database dump containing MD5 hashed passwords, with a fairly small investment most could be recovered within a very small amount of time (mere days for a large database).

Many people are moving to bcrypt as a solution. In Coda Hale’s “How To Safely Store A Password” he covers this topic in more detail, complete with useful stats and links to implementations in languages from C# to Ruby (even Erlang is represented).

If you are looking for ways to better protect your user’s data, take a closer look at your password storage.

When you move on to your next challenge how will those that inherit your code think of you? Noble or notorious, innovator or insane? This is a question that all developers should ask themselves frequently; though too few ever do. You should always write with the assumption that someday a new developer will take over your code, and they will question every decision and assumption you’ve made. When this happens, what will they think of you?

Perhaps I’m more aware of this because I maintain an internally developed shared library that my company uses in every application; but regardless of the scope of the project you should always assume that someday you will hand the project off. Many developers think little about what happens to their code after it passes on to another; what other developers will have to deal with, or how their efforts will be perceived.

When I’m training a new developer there are a few points I try to reinforce as much as possible:

1. Code is only good if other developers can work on it without extensive training. If it takes days or weeks of introduction to get a new developer up to speed, then you’ve done something wrong¹.
2. Clever solutions are no better than an ugly hack if it’s not clear what you are doing. If the code isn’t clear then it’s not maintainable, if it’s not maintainable then it’s junk.
3. Assume you’ll be hit by a bus. Always write code with the assumption that you won’t have the opportunity to cleanly pass the code off to a new maintainer. Never assume that you’ll have time to come back and clean things up later.
4. Always perform design reviews, no matter the size of the project². Once you have a design in mind, talk it through with a at least two other developers. Just because you think it’s clean and clear doesn’t mean that others will see it that way as well.
5. Be consistent, always. I’ve seen more projects ruined by people doing things “their way” than anything else. Match style and design when working on an existing project. Be careful when adding new techniques, technologies, or methodologies to an existing project; unless you are willing to update the entire code-base, you can easily create a minefield without realizing it.

If you want your work to be seen positively after you move on, start thinking about your heirs today. The opinion they have of you will be almost entirely based on what they see in your code – not the stories or memories left behind.

¹ – There are always exceptions; these are generalized guidelines, not hard and fast rules.
² – This includes “throw away” projects, many projects that are intended to have a short life end up living far longer than intended. This is the most likely place that your heirs will find code that makes them question the quality of your work.

While working on the list of tools and services to write about as part of my Start-up Tools series, Get Satisfaction has been the hardest to decide on. After a lot of reading, I decided against recommending it, though I had to write about it because so many companies have opted to use it.

Get Satisfaction is a great concept for the most part – what it boils down to is a specialized forum service for your customers to discuss issues and ideas about your products. But it’s not quite that simple, as your customer can create a site with them in your company’s name, without your knowledge as 37signals found out – (and they weren’t happy about it). The article by 37signals goes into length about the issues surrounding the service, so I won’t repeat them all here – it’s well worth the time to read if you are thinking about using the service.

While they do offer a rather anemic free version, if you want anything useful you’ll have to shell out for one of the paid versions which start at $99/month. That’s $1,188 per year, which for most start-ups would be among their top expenses.

While they have made some changes to reduce the mafioso feel that many complained about, however the feeling that you have to participate if you care about customers still lingers. With prices ranging from $99 to $899 a month for what amounts to little more than a forum service – it’s simply too expensive for many start-ups.

While I understand that they are in business to make money just as I am, my budget is still very tight and there are many other needs fighting over that same money. Supporting customers has to be the top priority, but is this really the best way to achieve that?

To me it seems that money may be better spent on hardware upgrades to make our servers faster or some real analytics to make sure our web sites are as easy to use as possible. While the service has some nice benefits, spending over $1,100 a year for access to a locked-down forum just doesn’t make business sense.

Oh, and do you want it to match the look and feel of your web site? We’ll for that you have to upgrade to their top plan at a whopping $899 a month. Yet themes are a basic feature of virtually all forum systems.

For me, I think I’ll give bbPress a shot – it’s free, open source, and easy to use – then I’ll take that $99/month and find better ways for it to serve my customers.

When it comes to small business project management, Basecamp by 37signals has been the king of the hill for some time. Now though, there is an exciting new player in the field: Open Atrium. It’s a Drupal based open source project management system somewhat like Basecamp, though with many more features.

Open Atrium is new on the scene, with beta 1 being released just 4 days ago – though it’s already rather polished and seems to work well. While there are some hiccups with the installer and a disappointing lack of documentation, it’s still very easy to install and takes only a few minutes to get running.

It has all the major features that you would expect, plus a few extras such as a twitter-like shoutbox system. Here are the highlights:

• Blogging
• Calendar
• Dashboard
• Document Storage
• Task Management

Being open source and self-hosted adds some nice benefits; unlimited customization, full control of your data, and my favorite: can be installed on a non-public web server. Having you project management system sit behind a VPN is a great way to avoid data leaks and embarrassments.

I’m still debating which is best, Basecamp or Open Atrium – but if you want to save some money, Open Atrium is worth looking into.

Good developers need good tools, it’s simple as that. If you are building software for Windows, the only real option is Visual Studio. The down side to Visual Studio? The $1,200 starting price tag. While Microsoft is now providing the free Express editions, these are aimed more at hobbyists, not serious developers.

Microsoft thankfully is here to help: If your company is less than three years old and has less than $1 million in annual revenue, they have a program to give you all that you need. BizSpark provides the key tools and technologies to get your start-up moving without impacting your budget.

The BizSpark program provides Visual Studio Team Suite + MSDN Premium for your developers (up to 25),  plus production licenses for software like Windows 2008 Server and SQL Server 2008. Unlike Microsoft’s other start-up helper Empower, there are no requirements that you use certain technologies or pursue any certifications.

While Empower does provide licenses for things such as Office for employee use which BizSpark does not, BizSpark more than makes up for it in the production server licensing.

For a start-up with little funding (normally what the founders happen to have in the bank), building for the Linux platform using MySQL and Ruby on Rails can be very tempting. Now with BizSpark the money takes a back seat (at least for the first three years), and the technologies can compete on a level playing field.

It looks like the core Silverlight 3 tools are now available:

• Microsoft Expression Blend 3 + SketchFlow RC
• Microsoft® Silverlight™ 3 SDK
• Microsoft® Silverlight™ 3 Tools for Visual Studio 2008 SP1
• Deep Zoom Composer

Though the tools needed for development seem to be public, I’ve yet to see the end-user run-time; though I imagine we’ll see that in the release anticipated for tomorrow.

Time to have some fun.

Update: Client run-time is now available.