While generic hashing algorithms are certainly better than storing passwords in plain text, it’s still not as secure as it should be. Users place great trust in us to ensure that their credentials will be secure and treated with the utmost respect; it’s our responsibility to live up to these expectations.

With the simplicity and speed of these general purpose algorithms, it’s possible to generate hashes looking for collisions (or even the original value) extremely quickly. It’s this speed that introduces the fatal flaw; with a database dump containing MD5 hashed passwords, with a fairly small investment most could be recovered within a very small amount of time (mere days for a large database).

Many people are moving to bcrypt as a solution. In Coda Hale’s “How To Safely Store A Password” he covers this topic in more detail, complete with useful stats and links to implementations in languages from C# to Ruby (even Erlang is represented).

If you are looking for ways to better protect your user’s data, take a closer look at your password storage.

Perhaps I’m more aware of this because I maintain an internally developed shared library that my company uses in every application; but regardless of the scope of the project you should always assume that someday you will hand the project off. Many developers think little about what happens to their code after it passes on to another; what other developers will have to deal with, or how their efforts will be perceived.

When I’m training a new developer there are a few points I try to reinforce as much as possible:

1. Code is only good if other developers can work on it without extensive training. If it takes days or weeks of introduction to get a new developer up to speed, then you’ve done something wrong¹.
2. Clever solutions are no better than an ugly hack if it’s not clear what you are doing. If the code isn’t clear then it’s not maintainable, if it’s not maintainable then it’s junk.
3. Assume you’ll be hit by a bus. Always write code with the assumption that you won’t have the opportunity to cleanly pass the code off to a new maintainer. Never assume that you’ll have time to come back and clean things up later.
4. Always perform design reviews, no matter the size of the project². Once you have a design in mind, talk it through with a at least two other developers. Just because you think it’s clean and clear doesn’t mean that others will see it that way as well.
5. Be consistent, always. I’ve seen more projects ruined by people doing things “their way” than anything else. Match style and design when working on an existing project. Be careful when adding new techniques, technologies, or methodologies to an existing project; unless you are willing to update the entire code-base, you can easily create a minefield without realizing it.

If you want your work to be seen positively after you move on, start thinking about your heirs today. The opinion they have of you will be almost entirely based on what they see in your code – not the stories or memories left behind.

¹ – There are always exceptions; these are generalized guidelines, not hard and fast rules.
² – This includes “throw away” projects, many projects that are intended to have a short life end up living far longer than intended. This is the most likely place that your heirs will find code that makes them question the quality of your work.

bbPress was originally written to power the support forums WordPress.org, which get quite a bit of traffic. Later, it was released as a separate project. While it doesn’t have nearly the feature set found in more popular systems such as vBulletin or phpBB; it makes up for it in simplicity. It’s designed to be conversation-centered, where the clear focus is on what people are saying, not the bells and whistles provided by the software.

I’ve used it for a couple sites and couldn’t be more pleased; though now I fear the end may be near.

Automattic, the company behind WordPress.com (and ListPress.com) has committed to supporting the project; though primarily in context to its role in the WordPress world. bbPress as a separate product has so much potential, though it seems Automattic has little interest in this; instead the interest seems to be in making bbPress just another add-on for WordPress.

At one point there was a lot of excitement and interest surrounding bbPress, though for a project like this to succeed you need input from the community, you need an open and fast paced development process. Unfortunately for bbPress, it had no such process. There were people who had the skill, time, and interest to lead the project and make it a success; but they were pushed away and the project was allowed to stagnate.

Today, there is some activity going on, and I’m glad to see that it won’t fade away completely; though I see little chance that it will live up to what it could have been. I have a lot of respect for Matt and Automattic; they’re very successful and build great products; but they could have done so much more.

bbPress will go on I’m sure; though I believe only as a shadow of what it could have been. Though maybe Matt will prove me wrong, I certainly hope so.

Once upon a time GoDaddy had the best prices and the best search of any registrar; unfortunately things often change, and not always for the best. As time went on they added more products and adopted a very “in your face” style of marketing. For years I’ve dismissed the aggressive marketing as the cost of the low prices, but times have changed.

The aggressive marketing style, incredibly difficult to cancel subscriptions, feature lock in, and many other annoyances and issues. And why do I put up with this? It’s not the low prices, as for many things my current hosting company is far cheaper. I’m no longer locked, it’s not that. Loyalty? That it, well, that was it.

After 7 years, and $1,200 – I’ve started moving my domains over to my hosting company; and so far I couldn’t be happier. No aggressive marketing, good service, and they don’t nickel and dime me to death.

Loyalty can be a good thing, but how much is loyalty costing you? Is it worth it?

Being concerned about privacy as most people are (or at least should be) it seemed a reasonable option but when multiplied by quite a few domains, it gets rather expensive. So during this last round of renewals I decided to cancel the service; figuring it would be no harder than removing the item from the shopping cart. To my surprise, it wasn’t nearly so easy.

Turns out that you have to sign into the DomainsByProxy web site with a Customer ID and password to cancel the service; so I tried the obvious and used my GoDaddy ID and password, though no such luck. I searched my email archives and didn’t find a single email from DomainsByProxy, at this point I was pretty sure whatever email address they had on file wasn’t valid, which is bad news for me. While there is an option to recover your customer ID, if their records aren’t accurate then it’s of no real use.

But there is hope.

It took a fair bit of reading and testing, but I finally found a method to get to your account IDs, and it’s fairly simple:

1. Go to the Private Registration Page on GoDaddy’s site (make sure you’re logged in to your GoDaddy account)
2. Type in some random characters into the search box
3. On the results page, click “Continue to Registration”
4. Click “No Thanks” on the ad page
5. Scroll down to the section labeled “3. Select Your Domains By Proxy® Account“

You should now see your customer IDs for the DomainsByProxy web site. The web site only shows the first four account IDs, if you have more than that you can contact DomainsByProxy and have them merge the account IDs you know. Just continue the process until you have all of your accounts merged into one.

Unless you’ve changed your password on the DomainsByProxy web site, your GoDaddy password should work. From there, you can update your information – or like me, cancel the service completely. Now you are free to renew the domain without paying the extra annual fee or transfer to another registrar.

• Microsoft Expression Blend 3 + SketchFlow RC
• Microsoft® Silverlight™ 3 SDK
• Microsoft® Silverlight™ 3 Tools for Visual Studio 2008 SP1
• Deep Zoom Composer

Though the tools needed for development seem to be public, I’ve yet to see the end-user run-time; though I imagine we’ll see that in the release anticipated for tomorrow.

Time to have some fun.

Update: Client run-time is now available.

While building something as simple as avatar support takes a relatively small amount of time, when working against a tight deadline or a tight budget every minute counts. In the world of an ISV (especially a young one) the balance of user satisfaction and development time is critical. Using a service such as Gravatar is a great way to give the users what they want with minimal impact to the timeline.

With a super-simple implementation we were able to get it running within a few minutes – compare that to at least a few hours to build a custom system. Plus, reduced server load as we aren’t hosting the images and a cleaner, simpler interface as it’s one less option the user has to look through.

As IE7 approaches release, the IE team has released a detailed list of the 200+ CSS changes that will appear in the final release. If you do any web development, this is a great time to read the list and audit the CSS that your sites use. IE7 breaks many of the old hacks used to work around the bugs in previous versions, so careful attention will be needed to ensure everything keeps working and looking as intended.

IE7 is a major step forward, and all web developers owe the IE team a ‘thanks’ for being so transparent in this process and making detailed change lists such as this one available.

Matt Mullenweg of WordPress fame has released a plug-in to automatically remove the WWW prefix. While this isn’t earth shattering news, it does show a trend away from the traditional prefixes to a simpler model. A change that I certainly welcome.

From the day this site went online it’s removed the WWW if used, providing a single, optimized URL for all pages. Now that methods to implement such functionality are becoming so simple, I expect it will become even more common as bloggers adopt a single URL model (hopefully the non-WWW form).