Code Design Has To Be Slick security
The Cryptosomething
When I stumbled over yet another article on how you get your cryptography wrong, I remember that I did something similiar myself.
No, not the broken scheme from that article, but I had needed to use some crypto functions to verify some data that had been handed to the user before.
Passwords, logins and OpenId
The software that I’m currently developing will use OpenId to provide a single login for multiple sites. If you haven’t heard of this yet, OpenId is the newest, coolest (at least in the eyes of the “Web 2.0″ crowd…) thing for “single-sign-on”. Meaning that you only have to remember one password for all your web sites.
The whole thing works like this: You go to a page where you log in. You provide your OpenId url (which is the same as your user name) You are sent to your OpenId provider. You log in to your OpenId provider. You go back to the original website, and now you’re logged in. The idea is that you only have to log in one time to get access to all your web services.
It got a bit of a hype now, since some of the big players announced “support” for it.
So I checked out this toy, and I found that there are already a lot of providers, and a lot of libraries to add support to your own web application. You can also have a plugin for WordPress, Trac, you name it…
So I got an OpenId account, installed a plugin on my blog And disabled it again.
Random awesomeness
Usually I’m not such a big fan of “shareware” products and the like – too often you get charged for crap that is outclassed by the free alternatives. Plus, I didn’t had good experiences with the “customer support” of independent vendors in the past.
That said, there are some tools that are really worth their price, like TextMate. And a while ago I bought 1password (1passwd before…), because I wanted to share my web passwords between all browsers (and Firefox doesn’t support the Mac keychain). It worked as advertised, giving something like a “single-sign-on” from any browser. Also, with the built-in password generator I don’t use the same default password for all sites any more. It also synchronises to the iPhone/iPod touch (and also with a Palm device, if you pay a little extra).
But the really amazing thing is that the new beta can automatically fill in forms on your iPhone/iPod touch. Way cool, it just synchronises a “bookmarklet” to the device, it’s all javascript and you don’t have to install and hack anything. And on the Apple mobile devices that is worth gold, since they still don’t have copy-and-paste…
And I can finally log in to password-protected sites on the go.