Archive for February 2010

ArchCon 2010 Earlybird Registration Fast Approaching

For those that don’t know, the first ever ArchCon will be held in Toronto, Ontario, Canada on July 22 and 23. Ralvez and I are the primary organizers. We’ve got some great presentations lined up and are becoming more confident that we’ll have enough attendees to fund conference activities.

The earlybird registration deadline is fast approaching; you have four days to register for only $100. Register at the registration page:

For more information, visit the ArchCon website:

Dieter has set up a couple of wiki pages to help people collaboratively plan the conference, and more importantly, social and vacation activities around the conference. He’s coming all the way from Belgium, and is looking for other Archers to do some road trips and tourist attractions with while in North America.

Finally Shipped

Arch Linux Case BadgesAfter far too many delays, I’ve finally shipped all the outstanding case badge orders. The badges arrived today, after a delay in production and mailing, and all envelopes have been packaged; they’ll be in the mail tomorrow. I spent a lot of time stuffing envelopes this evening!

I would like to apologize to everyone who has been waiting for badges; the preorder form has been up since early December. I originally said they’d be shipping in early January, and a 1.5 month delay is truly unacceptable. Thanks to everyone for their patience; I will try to perform better in the future. I’ve certainly learned not to rely on shipping estimates!

The new badges are a more modern looking than the old ones; I’ll try to update the pictures on tomorrow.

Password validation hints

Just because something can be validated does not mean it should be validated. It’s very easy to validate form fields in django and most other web frameworks. That does not mean we should always take advantage of this feature.

Why did I just get this error when creating a user account on a website?:

Error. The password field can contain only letters and numbers

I had included a couple of punctuation characters in my password, because that makes it harder to guess, right?

From a technical standpoint, there is absolutely no reason for this website to tell me I can’t use punctuation characters. If they’re encrypting ascii, then any ascii character should be legit. If they’re encrypting bytestreams, then any unicode byte should be legit.

The only validation a password field should have is to test if the password is ‘too easy.’ Typically a minimum length test is enough, but ensuring the user didn’t enter five 1s or their username as a password can be good validation too (although it’ll annoy the user, not often a good thing). You may also need a maximum length if your database is poorly designed, but make it a very high maximum in case anal-retentive people with 64 character passwords want to buy something from you. After all, why shouldn’t you let them?

Further, don’t force your users to have passwords that conform to arbitrary rules like ” must contain at least one number, one lower case letter, and one capital.” This actually cuts down the total number of options a brute force attacker needs to check if they want to break the password; they now know that eerieairplane is not an option they have to test. After all, eerieairplane and EerieAirPlane are totally different passwords, neither is more “guessable” than the other (unless you are a pilot for Lake Eerie Air, in which case you’re probably better off using pokertoMatotoOthpaste).

Users have different systems for creating their passwords; some of these systems aren’t very intelligent (same password everywhere, or prepend the name of the site to a common word), but forcing a single system of our own on them is even less intelligent.

While we’re on the subject, what’s up with all the corporate sites who believe that having security questions in case you forgot your password helps make things more secure? Honestly, do you think that my random password with extra punctuation is easier to guess than my first dog’s breed, my mother’s maiden name, or my favourite author? What’s the point of having a password at all if both I and any given attacker can just look up these values instead?