Tuesday, February 10, 2009
Prepared packages for mailing. Breakfast: granola and lowfat cherry yogurt. Met with student AD about recording lectures. Worked with Susie on BTS content photos. Patrick mailed the packages. Lunch: Panda Express at desk: broccoli beef, orange chicken, chow mein, hot water. My fortune: You have a talent for all that is artistic. Revised and delivered our school org chart for Sue A. Updated the office computer hardware list for Cindy. Signed Eric D and me up for a Javascript class at Academy X on Friday, February 20. Worked on the email setup page: icon generation. Chatted briefly with Majed. Home. The iMac was running at 100% CPU for no good reason even after closing all apps, so I restarted it and that fixed it. Dinner at home with Patrick: grilled chicken breast tenders, biryani, hot water. Dessert: chocolate sorbet, peach sorbet. Watched the first half of Death Proof: Bonus Material on Netflix DVD with Patrick. It's essentially a couple of hours of everyone in the film saying how great everyone in the film is. Left this comment on "my life, as far as i know.": "The no vulgarity rule is really weird—why should they care? No one is supposed to see, hear, or communicate the password anyway. I've found similar kinds of strange requirements, too. One site for some reason didn't use the same validation upon account creation as it did for account login, so, for example, I created a 20-character password which was not accepted when later attempting to log in. On a hunch, I trimmed down the length of my password one character at a time and eventually discovered that it thought my password was the first 16 characters of my 20-character password—upon creation it was trimmed by 4 characters then stored (no warning of the trim action), and when attempting to log in with a 20-character password there was no warning that I had exceeded a maximum length. In a few other cases, I've discovered websites which have no ability to change passwords, which theoretically means that brute force attacks could be more successful against them. Some sites, if 'asked' by entering a wrong password, tell people exactly what the password requirements are, but I think a better strategy is for website owners to accept the largest set of characters feasible and a length larger than most people will use without revealing the exact password requirements. e.g., Say you are a system owner and your system stores up to 32 characters in a password but when someone creates an account or attempts to log in you accept up to 100 or 1000 characters. If someone has created a password that's 60 characters long, it should be accepted at creation and at login even if the system stores and checks only the first 32 characters. For if someone attempts to log in and gets the first 32 characters of a 60-character password correct, do you really need to check the remaining characters to know that's the same person? Probably not, and so you also probably don't need to reveal that you store only the first 32 characters. This is kind of like the problematic situation I described above, except that they should have let me in after checking the first 16 characters of my 20-character password. To see how crazy password management is where I work, see http://pharmacy.ucsf.edu/go/passwords and for password management solutions I recommend see http://pharmacy.ucsf.edu/go/managepw ." Stretches. Warm-up cardio. Weight training: dumbbell fly, superslow tricep kickback. Late snack: lowfat peach yogurt, V8 high fiber juice.