

I Just Logged In As You - bdfh42
http://www.codinghorror.com/blog/archives/001262.html

======
biotech
People here are very critical of Jeff Atwood. I realize that he has some
shortcomings, and is sometimes flat-out wrong about things, but I'd like to
point out a couple of things in his defense:

1\. His blog and podcasts are pretty entertaining, even if he is wrong
sometimes.

2\. He created Stack Overflow, which is a pretty nice site. At least, I like
it.

3\. He admitted and blogged about an extremely embarrassing oversight on his
part today. Which takes some backbone.

That being said, I don't think we need a link to him on every single blog
entry. This particular entry is more interesting from a Hacker News
perspective though.

~~~
michael_dorfman
I'm one of those who is often critical of Atwood, and the point is not that he
is "wrong sometimes", but rather, that a) he tends to carelessly dismiss those
things he doesn't understand, and b) this includes much of the discipline of
computer science.

As Dennis Forbes so aptly put it, "Be careful diving in [to CodingHorror]
headfirst, though, as the technical depth is generally so shallow you'll be
hitting the bottom before you've even broken through the surface tension."

~~~
dinkumthinkum
I think this is the key point. Atwood is overly dismiss and has even written
flat out anti-intellectual diatribes (see the "fireman" post).

~~~
jamesbritt
Interesting. I was about to impulse-comment on a previous comment, but then
say yours.

Makes me wonder about the ways of being wrong, and who do people here think
tend to be wrong in a good or valuable way?

E.g., making conjectures that at least posit novel interaction of events and
ideas, or are wrong due to lack of current knowledge and over-optimistic
conjecture, not because of willful ignorance or bias.

(I suppose that describes any good sci-fi writer; I'm thinking more of
bloggers or essayists.)

------
flooha
Funny, I had a similar incident on Friday. I had an error on my web server
from a bug (fixed now of course). I was curious about the IP that generated
the error because I had just attended a networking event and wanted to know
which contact I talked to now had a bad impression of my site.

I put the source IP in my browser and came up with a XAMPP administration page
which had a link to phpMyAdmin, which gave me admin access to all the
databases on that server.

I poked around long enough to get a contact email for the server admin and
sent him a polite email explaining everything. He was grateful for the email
and explained that he never thought anyone would try to access his raw IP. I
don't think he checks his logs much. ;)

------
nomoresecrets
My favourite Atwood screw-up of all time was on the recent stack overflow
podcast. Joel referred to a digital clock on the wall, which Jeff corrected
him, and said it was an analog clock. Joel did his customary 'Jeff said what?'
pause, and then pointed out "I'm pretty sure I can see digits on that clock,
so it's digital." Jeff was still not immediately convinced.

That said, I enjoy listening to the podcast, even if sometimes because I get
to laugh at the things Jeff said. But as someone else said here, it's hard to
be too down on someone who was a key factor in making a site like Stack
Overflow. He also makes some good points. Sometimes.

But objectively, about 90% of the time I agree with Joel when the two have a
disagreement. Guess that means I shouldn't apply for a job at Fog Creek :-).

~~~
dinkumthinkum
Yeah, the podcast has a lot of that. It's very ironic. It's quite common for
Jeff to say something wrong, Joel to correctly correct him, and Jeff a) not be
convinced and b) yield in the sort of "I know more than you do about this but
I'm just going to be nice" way. I think it's delightfully, if not
irritatingly, ironic.

------
epall
Isn't 1Password a solid way of avoiding the whole one-password-multiple-logins
problem? Most of my logins are 8 or more randomly generated characters. The
best passwords I end up memorizing anyway, but I don't use the same PW twice
anywhere on the internet. Am I secure?

~~~
cubicle67
Try 1Password plus dropbox to sync passwords across multiple machines.

~~~
pstinnett
I've been using 1Password, but I've noticed it's "auto fill" and "auto save"
options get confused easily, especially if I have multiple logins for one site
(for example I set up a new gmail account for every project I run, and tie in
any third party services to that gmail). This means that I could have 10-20
gmail logins saved. 1Password often tries to save passwords that it already
has saved. Make sense? Anyone else run into this problem? I've started to
migrate over to using Wallet.

------
dinkumthinkum
He is so pretentious. He goes on about how great Open ID is and yet talks
about how he has all these different passwords and uses a "throwaway" password
for admin access to his application. Great. Then he posts something about how
"brute for is for dummies" when using bad passwords is really what's for
dummies.

~~~
rimantas
I think he even had a post about how passphrase is better than a password. But
I may be mistaken and I am just to lazy at the moment to search for it :(

~~~
TimMontague
Passwords vs. Pass Phrases:
<http://www.codinghorror.com/blog/archives/000342.html>

_Easier on the user, harder for hackers: that's a total no-brainer. I've
adopted passphrases across the board on all the systems I use._

I guess the anonymous person discovered his passphrase?

~~~
nopassrecover
I think so, and I think the passphrase included dictionary words which is why
the anonymous person said as much.

------
edw519
"I've talked about this exact sort of vulnerability several times on this very
blog."

You talked about it but didn't implement it? Yikes.

~~~
henning
Maybe Joel interrupted him when he was talking about it once and he forgot
about it and hence forgot to implement whatever important security practice he
overlooked for stackoverflow.

Good thing stackoverflow is a tech help site and not porn/gambling, eh?

~~~
dinkumthinkum
Perhaps. Perhaps Joel was mesmerizing Jeff with his vague knowledge of
Psychology 101.

------
raganwald
I'd like to jump all over Jeff for having a weak password, but somehow that
seems like blaming the victim. Sure, he's supposed to be an elite hacker
programmer blogger authority something-or-other, but is everyone in the world
supposed to become an authority on choosing strong passwords?

Stepping back for a moment, why are we using passwords for authentication and
security in 2009?

~~~
tsally
Because there are not better alternatives? Unless you'd like to trust some
company with biometric details about yourself. But biometrics aren't notably
better than passwords anyway.

And in answer to your question, yes. Everyone is supposed to become an
authority on choosing strong passwords. I fail to see why this is
unreasonable.

~~~
raganwald
> Everyone is supposed to become an authority on choosing strong passwords. I
> fail to see why this is unreasonable.

peopel have been saying this for decades, that users should get with it and
learn how to create passwords like "as723HASD-23", to change it every month,
to use a different one for each system, to never write it down, and so on and
so on.

And for decades users haven't been doing this.

So. Are we to blame the rest of the universe for not doing what we tell it? Or
decide for ourselves that _This doesn't work and we as programmers must think
of something else?_

If none of the alternatives appeal to you, think up a new one and get some YC
funding going :-)

~~~
tsally
The point is that there are no alternatives. This isn't a design problem that
as programmers we can fix. There are plenty of existing security systems that
fit the bill. It's a human problem.

For example, one technical fix is a widely deployed public key authentication
system. It would take a company as large as Google to force people to adopt
it, however. Plus operating systems would have to start shipping the software
to make the average user understand it. Private key creation would need to be
integrated into the create user process of Windows and Mac OS X. That's not
realistic because there is little profit for the companies involved.

~~~
_pius
_It would take a company as large as Google to force people to adopt it,
however._

I think we'd see quite a bit of progress if OpenID providers just started
using PKI.

~~~
lucumo
How many non-technical people are actually using OpenID? (For that matter, how
many _technical_ people are using it?) Actually using it, not having some
OpenID thing that they don't know about...

~~~
_pius
Why does it matter?

------
nick007
from another perspective, i wonder how much time is wasted by the average
person choosing, memorizing, and resetting random passwords that no one will
ever try to crack.

i wonder if the value saved by well-protecting a user's data is a net gain or
loss on the whole... <http://qzip.in/nX>

~~~
CalmQuiet
And that link sends me to a post from back in 2006 at www.securitywonk.com
...whose Home Page's _latest_ post is also from 2006.

More 'wonk' than security at that site, I'd wager.

------
zmimon
Especially amusing since he wrote in January(
<http://www.codinghorror.com/blog/archives/001206.html>):

"If you're a moderator or administrator it is especially negligent to have
such an easily guessed password."

Actually, I find just the apparent fact that he uses a 3rd party openid
provider (whichever one it is) for his StackOverflow admin account disturbing.
The OpenID provider has the credentials - they can therefore log in as him any
time they like. Only their integrity / reputation prevents them from doing
that. I think it's fine for individuals using the system to trust a 3rd party
like that but I don't think it's fine for someone with admin powers to do so.

* Ignore this whole comment if he runs his own OpenID provider :-)

------
Hexstream
Lame excuses do not a proper apology make...

A perfect complement to NoScript's proper apology article.

~~~
ilitirit
I'm not really sure what he has to apologize for. He didn't even really need
to post this article or the email.

~~~
Hexstream
When you run a site with many users, you have a responsibility to safeguard
your users' data. Part of this is having reasonable security, and part of that
is having a reasonable admin password.

As far as not "really" needing to post this, that's true of any breach of
security with no obvious user-observable consequences, regardless of the kind
or degree of the breach.

edit: Besides, as is the case with the softcore porn in a technical
presentation, I'm more worried about the fact he says it's no big deal than
the actual security problem. I think "I screwed up totally and apologize for
having failed you, this will not happen again" would have been more
appropriate than (paraphrase) "I screwed up but this is pretty
inconsequential."

------
miracle
It's better to modify your site to accept only modified usernames/email
adresses (e.g you must always login by adding a - to your username) for the
user accounts that are more important (has more rights) then normal accounts.
A hacker will have problems bruteforcing these accounts..

------
michaelneale
I am a Jeff Atwood fan. Totally enjoy the podcast and I think stackoverflow is
pretty useful.

------
csomar
I have a simple method to prevent to be cracked for %100.

I choose a word, for example if it's Hacker News, then i choose hacker and
then add random number to it while they are complex chrachters.

Just look on your keyboard, there are numbers that matches chr, like 1 -> &
and 2 -> é

so i write é(hackerénews while i memorize 25hacker2news

i think in such way it's 98% impossible to crack it

------
biohacker42
_how do you think this person discovered my password?_

Well this may be a stab in the dark, but I'm guessing it has something to with
the fact that you are NOT a great programmer. Learn some C you average coder!

