Is Your Site Password-Worthy?

August 30, 2011

I hate passwords. I just read an article on Yahoo about how to make your password more secure. I think this is the wrong message. Passwords should be abolished altogether. It seems that almost every site on the web, in order to see the interesting stuff, has you enter a user name and password.. Let me tell you, most of these sites are not password-worthy. First you have to set up an account name. Since these have to be unique (it’s a computer thang), probably one name won’t cover all sites. I have a nice yahoo name, but since I got it 15 years ago it was available. That same name is not available on pretty much any other site so I have to add letters and numbers and whatever to get an account name that works. Who can remember these?

On the issue of user names, why not just use your email address?  I try to do this when I can but lots of sites don’t allow the @ or . symbol (in which case I drop it) or don’t allow long names. Also this method reveals your email address, because often your account name is something that is public. Why not eliminate user names altogether, base log-in on email address and allow an arbitrary public name which doesn’t have to be unique. A computer is smart enough to figure out how to deal with non-unique user names (the technique is called capabilities). Right now, for non-password-worthy sites, I use a free yahoo mail address – as a side benefit all the spam goes into that email, which I haven’t looked at in years.

Once you create an account name you have to pick a password, which inevitably is even more difficult than picking a user name because no two sites have the same rules for passwords. Some allow special characters, some don’t, and some require them. Some have length limits. some force a certain minimum length. Some allow you to use any password you want, some judge the “strength” of your password and don’t allow what they consider to be “weak” ones. One site I signed up with recently (comcast) forces your password to be between 8 and 16 characters contain a lower case, an upper case a number and a special character. I guess their biggest fear is that someone hacks into my account and cancels HBO. My bank forces me to change my password after a month of inactivity, and doesn’t let me change my password to any password I’ve used it in the last 5 months. They also make me answer 3 questions every time I log in from a different computer and now they call my cell phone and I have to punch in a verification code, all this to log in. Next I expect they will send a phlebotomist over to check my DNA. I have resorted a simple method of picking passwords: I write how I feel when I’m using their site. It seems to be the easiest to remember.

Next, most (if not all) sites now have a way to obtain your user name and your password if you have forgotten them. This is what I usually do. Almost all of these lookups are based on email address and then maybe ask a question like “Who is your favorite hot actress?”, something you answered 5 years ago when you were into girls with short hair and big boobs. I digress. Then you get a link in your email box that acts as a password, maybe for an hour of so, during which time they expect you to enter yet another password that you will never remember.  This is the technique that some cracker used to steal Sarah Palin’s emails.

I’m sure there is some site out there that just collects passwords and then tries to break into people’s accounts using deviations from these baselines. I use the same password for most sites, who cares if someone breaks in, I don’t store anything important on 99% of the password protected sites anyway.

At this point in the development of the internet one has to ask, “why do we still use passwords?” Hasn’t someone come up with something better?

One suggestion (from by brother) is to allows users to select a question and answer as a password. That way you can use lots of different passwords and be reminded of what password you used for that site, without anyone else understanding the hint.

Another suggestion is maybe it is time to use cell phones to do authentication (authentication is a technical term for figuring out if you are you). Most people have them and sending a message every time you log in is probably not that expensive. For those people who don’t have or want to use a cell phone, you email server could act as an authentication agent.

Of all the sites I go to these days, maybe three are password-worthy. The rest I either use so rarely that having a password is impossible, or are so unimportant that I don’t really know why they bother. Therefore, I hereby establish “The committee to abolish passwords”. Membership is free, no usernames or passwords are required. Just reply to this posting. (Does wordpress require a username & password?)

Flash vs. Java vs. Javascript

July 21, 2010

I’ve been looking at implementing a new user interface for a sensor system that my company builds, so I started to investigate possible platforms. I can’t use a client/server approach because access to a central server is not available. A few years ago I ported my Pin Hockey game to flash so I kind of know flash. The current UI is built in Java. A third possibility is Javascript, the engine of choice for HTML5. So then I thought, what are the real differences among these language? Flash (really Flex because I only develop on free platforms) seems to be more user interface oriented, Java more general a language but clumsy for interfaces, and Javascript very browser oriented and bit free-wheeling (i.e. no type checking– yet). But after more thought it occurred to me that all of these languages are basically the same. They all depending on a complex “interpretter” that uses byte-code instructions generated from the high-level language. They are all object oriented, single inheritance, interface based with built-in garbage collection. Beyond the basic language and interpreter are various libraries that do vary quite a bit from platform to platform, and that is one area where flash really shines. The underlying flash library is very rich and pretty.

With the Apple (Jobs) / Adobe war going on now we have Javascript (which Jobs calls HTML5) versus Flash/Flex with Java not even a close third. Everyone knows that Javascript as a big development environment is just not workable, although many of people are trying. So my suggestion is to eliminate this pettiness and just come up with a single underlying engine that can implement all three languages. An byte-code based engine that allows the source code to be developed in any language, that allows for a variety of libraries but preferably one good built-in one, and provides for maximum flexibility in interoperability. In fact, an underlying byte-code engine should be able to run all existing Flash, Java, and Javascript programs as is, eliminating the Apple/Adobe war altogether. The ultimate goal would be an open-source engine implementation, perhaps based on the current open source Java engine. But I’m dreaming.

The more predicable end to this story will be that Apple buys Adobe, war over, and presto Flash becomes remains the defacto standard of the UI. I’m expecting an announcement in a few months.

TEMPer Temperature Sensor Linux Driver

October 17, 2009

In addition to the Tenma driver, I just finished writing a driver for the TEMPer usb temperature sensor. I found that much of the information on the Internet regarding linux drivers for this device was wrong. Perhaps they refer to a different version of the part. The usb device I received uses a customized HID chip. You can find the linux driver here. Note that this driver is based on the libusb user space library and is not a kernel level driver. The driver can be compiled either as a standalone program or as a library to your own application. Permissioning is handled with a udev rule file.

Tenma 72-7730 in Linux

October 4, 2009

I bought a Tenma 72-7730 DMM for work so we could record data from our temperature chamber. The DMM is reasonably priced for a USB based instrument. Unfortunately it did not come with a driver or software for linux, only windows, so I was stuck reverse engineering the interface. The USB is based on a Hoitek UART to USB device that interfaces into the linux HID code instead of the serial tty driver. The Hoitek site is currently down (looks like they lost their domain name, maybe they were bought or something) but I found enough documentation on the internet to set the bit rate for the device so I could see what was coming on the HID interface. Long story short, here is the resultant gnu/linux software to fetch raw data, screen readings, and floating point values from the DMM. The software can be run stand-alone or as a library for  your own application. Instructions are included.

MSP430 UIF

May 15, 2009

I wrote a simple program to download to and dump the memory of an MSP430 via the TI USB FET a couple of years ago. I made it available at the time in source code form (TI gave me permission as long as I made it clear that TI does not support my code). I was recently forced to look into upgrading to the new MSP430F249 part and wanted to use my old code to download. Guess what? Things had changed.

1. The firmware in the USB FET needed to be upgraded. I installed the windows version of IAR (the current one) and it automatically downloaded the new FET code. OK so far.
2. The new firmware (version 20305000) is incompatible with the old firmware in that the old firmware had a list of available MSP430 devices built into the firmware itself, while the new firmware does not. In addition, there appear to be new commands to the FET that I don’t know about. I am waiting for TI to give me some info.
3. I did a little “research” and found that I could get the new firmware to work by exchanging some messages. First one must send one of the new messages to return a code indicating the type of device (for example, an MSP430F249). Next one must lookup the device in a table and send a couple of messages to configure the FET for that device. Therefore the linux code must have configuration messages for each supported processor while previously these were stored in the FET itself.

I have some code that will work with the three processors that I use: 149, 1611, and the 249. One can add ones own processor to this code if you can figure out the magic messages that are sent to initialize them. It would be nice if I could get all of the magic messages.

The code is available here: http://www.relavak.com/downloads/uif430-1.0.tgz.

Flash PinHockey

May 7, 2008

You can now play Pin Hockey on any Flash platform (like a PC or a Mac). The flash port supports most of the features of the DS version including single player and two player modes. Currently dual screen play is not supported. Check the OPTIONS screen for selecting options and keyboard mappings. Slammer play requires a mouse.

Here is the link: http://www.relavak.com/downloads/PinHockey.swf

Update of PinHockey (Version 0.2)

March 4, 2008

PinHockey for the Nintendo DS has been updated:

  1. Added Dual Screen field with moving paddles and various options
  2. Added Booster and Spin Booster obstacles
  3. Added “Win At” options
  4. Added one puck/two puck option
  5. Updated underlying Box2D library to version 2.

Updated version at:

http://www.relavak.com/downloads/PinHockey.zip

First Project

February 9, 2008

What was Relavak Labs first project???

A hardware based game called the Flashwand. The Flashwand displays text when waived in the air. It also can display a variety of colors and patterns from a crystal ball on its end. The programming contains an adventure (RPG) game that uses the display and the single pushbutton. As you play you earn more functions for the wand until you get all of the wand’s powers, and the ability to put program the wand to say whatever phrase you wish.

I used this project as my first foray into sub $100 development systems. A PIC processor, a 64kbit EEPROM, 10 LEDs, a pushbutton switch, a tilt switch, and a resistor is pretty much the entire hardware. The most difficult part was designing the hardware to fit in a very skinny aluminum tube. I built about 10 of them (have parts for 100) but can only find one or two.

This project lead to the creation of Sensys Networks (http://www.sensysnetworks.com).

FlashwandFlashwand in Action

Relavak Labs Second Project

February 4, 2008

I have been wanting to develop a game for the Nintendo Wii but it seems that Nintendo is not interested in supporting individual developers yet. So instead I looked into the Nintendo DS and found lots of “homebrew” support for development on the DS. So I bought a development system (supercard) and downloaded the devkitpro tools and started. Soon I found a couple of software packages that provided a reasonable “game engine” for my game: Box2D (physics) and uLibrary (graphics). Box2D had a port already to the DS (fixed point) by tobw.net, which I updated to the then current version of Box2D.

My first game: PinHockey, a one or two player game (one DS) that is a combination of AirHockey and Pinball. It can downloaded at http://www.relavak.com/downloads/PinHockey.zip. The select button invokes a list of option that can be changed via the touchpad.

Have fun. Check my blog at http://www.relavak.com for updates and info on other Relavak Labs projects.
Screenshot of PinHockey


Follow

Get every new post delivered to your Inbox.