On Passwords, Biometrics, and Password Managers

On Passwords, Biometrics, and Password Managers

What is a password? It seems a ridiculous question to even pose. Computers, and more specifically the networking of computers, has made the password ubiquitous in society. We all know what they are, and the vast majority of us encounter them on a daily basis as part of our lives. We’ve become so familiar—some may say _overly familiar_—with passwords that the very meaning of them becomes lost. Somewhat like repeating the same word over and over until it sounds like gibberish.

Hardening against web account enumeration

We all know by now how important it is to help users of our web services keep their accounts secure, by doing what we can to ensure they are using strong passwords. And the variety of methods at our disposal to assist them in this, from secure password policies to regular password expiration, are well documented. Perhaps less well documented is a tangential but equally important threat. Sometimes, we need to defend against more than just unauthorised access to users’ accounts, and instead defend against revealing the existence of an account at all.

Why global tracing doesnt work in Azure web apps

Having spent a couple of hours troubleshooting this before finally finding a solution, I thought I’d provide a brief write up in the hope it might save someone else the pain. Of course, tracing does work in Azure, but there’s a common scenario gotcha that doesn’t seem to be covered in any of the major documentation. Scenario You want to make use of Azure’s Application Logging, whether it be to the file system, table storage, or blob storage.

Trello is an antidote to project management tools

If you’re anything like me, then you’re not the greatest fan of project management tools. When I say “project management tools”, I’m referring to large, sprawling application systems such as JIRA that businesses large and small alike seem to gravitate toward for project and issue tracking. As a side effect of being designed primarily around enterprise use cases, the feature sets are often labyrinthine and overwhelming. For certain types of users, such as business analysts, this can be a boon; workflows can be infinitely tweaked and modified, issues can be categorised and filtered, moved in and out of sprints.

The User isn't Stupid

It’s a truth seemingly universally acknowledged in software that the user is stupid. Hang around in an office of developers for a while, and you’ll hear it. It starts as a sigh or a condescending chuckle, followed by a widely announced proclamation that yet again a user has done something so completely stupid that it surely defies explanation. “They can’t even work out how to search.” “They’re expecting it to save when there’s a save button right there and they’re not clicking it.

HSTS and why everything you serve should be over HTTPS

Something I’ve wanted to add to PasteMonitor for a while is HSTS (or HTTP Strict Transport Security), and today I actually got around to doing it. As of today, PasteMonitor is serving up Strict-Transport-Security response headers for all requests. I’ve written previously about how the browser can be a valuable ally in securing your web applications, and HSTS is a great example of one of these mechanisms in action. But what is HSTS, and what does it offer that’s missing with plain old https?

Moving WordPress media to Azure CDN

This post charts the process I took in migrating the static media content of my blog posts out of WordPress and into Azure CDN. Before exploring how I went about it, or even why I would want to do it, I want to take a moment to explain what exactly I mean. As of writing, this website runs on the WordPress platform, and as such I write in the WordPress editor, and use the WordPress media library for managing in-post media.

The browser is your friend—defence in depth via the client

When thinking about the security of applications we build for the web, the scale and breadth of attacks an application might face can be overwhelming. How should the server OS be configured? How should the web server be configured? What security defaults does my chosen web framework come with, and do I need to change them? What use cases am I not considering? Am I making assumptions anywhere about user input?

Eschewing SQL in favour of Azure Tables

With Azure Storage, Microsoft has provided a set of services for handling a variety of data in the big or the small. Naturally, Azure also comes with a robust set of SQL Server tiers for handling relational data in ways we’re all familiar with, but today I intend to focus on what can be achieved with Azure Storage, and in particular, so-called ‘Azure Tables’. Azure Tables is Microsoft’s NoSQL offering, putting it in the same class of products as Apache CouchDB and MongoDB.

Azure standard website pricing

If you’ve read other posts of mine, you may have come to the conclusion that I’m not a fan of Azure standard website pricing. With shared websites (now rebranded as “app services”) available on Azure for less than £6 a month, the jump up to a standard website app service at more than £40 a month looks ludicrous, at least on the surface. But I was wrong, and as of today, no longer have any sites on a shared plan.