One Password to Rule Them All

Programming, Web

Passwords are the new era plague. They are everywhere. Every system relies on passwords. People, unfortunately, are not designed to memorize all of them. The most common solution? Use one password for everything. If you ask one to create a password, one will use the very same password.
Passwords have some intrinsic problems:

  • difficult to create
  • difficult to remember
  • spread across several systems

Jeff Atwood wrote about the advantages of passphrases over passwords, but I’m still not convinced that it correctly addresses the problem. Using more robust brute force techniques, it will me in fact easier to break it, even if has several digits.
But when the person uses the same password over and over, there are some extra problems:

  • cross site vulnerability when one is hacked

Some use password wallets; programs that stores all your passwords in one place. However, you are putting all the eggs in a single basket. If this program gets hacked, all your passwords are exposed. Also, you have to keep a record of all sites you use, which facilitates even more the job a malicious hacker.

PasswordMaker

Suddenly I found about PasswordMaker on the FLOSS Weekly 84 on Twit, which opened my mind for a nice solution. The idea is to create a password generator using a central password combined with a unique id for each site, which can be its actual address! So, your job relies only on remembering one single password, and it will recalculate the actual password each time. One password to rule them all.
It solves some problems.

complex password generation

It can automatically generate very very very strong passwords using a several possible characters. the default 8 digits and 99 characters possible, generate 1 password in 9 227 446 944 279 201, much better than 110 075 314 176 passwords possible using a simple lowercase letters only. I personally use very long passwords. Configuring it to create a 20 digits password, it will be one in 8 179 069 375 972 310 000 000 000 000 000 000 000 000! much safer!

cross site safety

If Facebook is hacked, your Gmail account wont be compromised. If Flickr is invaded, your bank account will still be intact. Because each site uses a different password, you will be protected on all the others. And believe me, it’s site invasion and password leakage very common.

multiple profiles

Some sites have different password policies. Some require using letters and numers, some forbids special characters. Some require at least 8 digits, others restrict to 20. Using thie tool, you can change easily the different profiles and generate, each time, a password for each situation.

browser extensions

In their site, there are several plugins for all major browsers. They facilitates a lot the tool usage. I personally created a Chrome extension that uses the same algorithm.  I hope people like it.

no central repository

Nothing is stored in the computer nor the internet. You don’t have to keep track which sites you have accounts.
It still require non-software measures to make it work. You have to change your password in a regular basis (yearly maybe), among other atitutes.
It is not a silver bullet solution, but it addresses several problems.

Development cycles

Entrepreneurship, Programming, Web

just saw the news about the Drupal 7 Release Candidate. I could not be more perplex with the length of its cycle. The code freeze was announced in September 15, 2009, so its more than a year!
I’m perplex mostly because of the nature of this software: a internet application. Because the internet environment changes in a incredible pace, its really counterproductive to stop accepting deep modifications for so long time. NoSQL databases are getting more and more used, JavaScript techniques getting more refined and the whole HTML5/Video is dominating news. Two years to launch a new version is quite a lot.
I have a hunch: Drupal 5 was a true revolution but had a quite short life cycle, coz Drupal 6 was released soon after. I believe several developers got pissed with that as they were forced to make a long conversion process from Drupal 4 to 5 and than from 5 to 6. Drupal 6 took quite some time to actually be used by old sites, because several important modules (Views and CCK mainly) delayed the port to see what direction D7 would take. The result is that Drupal 6 was coined “Drupal Vista: wait for the 7“. This might be forced Drupal core guys to extend the cycle.
The whole problem is now gone since most sites are now ported to D6. But I really believe that was not matter of the short-cycles-that-pressure-developers, but the lack of clear support from project managers. I say that because some even more complex programs are getting big supporters, despite the apparent paradox.
The most enlightening example is Google. Google’s most popular softwares adopted the strategy of the “fast iterations”. The idea is not to aim “quality at all cost” (typical for projects that release when it is ready) but “to fix as soon as possible”. Chrome is 3 years old or so and it is in version 9! The adoption rate is even bigger than Firefox! Android is in version 2.2 already and gaining more and more support of developers. Can you imagine a more complex software with a faster release cycle?

development_cycles_content_2111

Faster cycles have several advantages:

  • Gain easy testers with the early adopters
  • Avoid that small enhancements being postponed for years just because is a “new feature”
  • Avoid the proliferation of hacks-as-plugins that implement the small enhancements i just mentioned
  • Revert wrong decisions often
  • Encourage more people to participate to the core development, since their suggestions might be implemented soon after
  • Avoid analysis-paralysis loop of each change
  • Reduces the possibility of forks (what is the advantage of Pressflow if Drupal 7 was released quite after?)

I think Drupal community still is somewhere between The Cathedral and the Bazaar. They are still in CVS mentality of a centralized control and serialized development of features. We have to make features in parallel, not in series. So no more “feature freeze”, “guys, lets think about the next version… ideas?”. Every time is time to release a new features. It has to create several forks (and not only patches) that will work on each features and, when any of them are ready, commit into mainstream and launch as a new small version, like 7.1, 7.2, 7.3…
One last comment for those that think several people want stability over cutting edge stuff. Its just to maintain a similar concept used by Ubuntu: time to time a given release will be considered “long term support”. And if Drupal 7.2 is LTS, for example, it could be released several other “features-releases” like 7.3, 7.4 and several “bug-releases” for 7.2, like 7.2.1, 7.2.2, 7.2.3… Fixed time support also gives business and people the right information for a proper planning.

Hardware Bottlenecks

Programming

We prices of hardware are getting cheaper and cheaper. If we werent using legacy computers, the whole world could be buying massive amounts of power.
General processors (cpu) and specialized processors (video cards) are really powerful and affordable. We now can create a super fast computer with a fraction of the price of a few years ago. A HUGE potential is simply wasted. Except for gaming, video creation and some other situations, a person will not use it at full power 99% of the time.
Both permanent storage (hard drive disks) and non permanent (RAM) are also very affordable. A terabyte HHD is cheaper than two 500 GB, which are cheaper than 4 of 250 GB. The current inflexion point is around 1.5 TB, but is progressing.
With so resources available, good programs are getting less and less relevant. Algorithms are for people who don’t know how to buy computers.
We are now focusing on extract the most of our bottlenecks. Power consumption, wired and wireless connections speed are probably the biggest ones. We still are about to see a ground breaking technology to deal with these. Meanwhile, solutions like cache and problems like lack of synchronization between devices will persist.

Unity 3D

Entrepreneurship, Game, Programming

started rencently to play with Unity 3D, a IDE/Plataform to develop games. I’ve heard about it because they recently decided that the indie version to be free. And because this version is quite similar to the Pro version and the Pro version is affordable, I decided to give it a try.
I am really impressed with the package. It is solid in features but what impressed me most is the easy user interface. Generally, programs that strive to be easy to use also make things too restrictive. Unity 3D is not one of them. It is a super intuitive IDE but also can be changed thru code.

As I discussed before, the competition of engines should be irrelevant to game makers because we have a lot data demonstrating that while the technology might help, the actual implementation is what matters. Good games with old/bad engines and Bad games with state of the art engines are quite common.

The main reason to choose one is… current knowledge. Learning things all over again is costy, and Unity address this by adopting several standard technologies. For scripting, you can use C# (very close to Java and C++), JavaScript or Boo. For 3D models, it imports the most used formats (3DS, Max, Ma, Blender…). The same goes for 2D (which also includes importing Photoshop native files), sound and music. All that means that your workflow and suite of programs will remain basically the same.

With the indie version being free, a huge increase of documentation and community support is expected. The same for professional assistance. Im happy to move from Torque (which uses several conceptual dogmas that Ive never liked) to Unity.

PS: with the web player, its possible to create games for web pages just like Flash… take a look in the demos.

unity_3d_3_content_2128 unity_3d_3_content_2127 unity_3d_3_content_2126 unity_3d_3_content_2125

Settings API

Linux, Programming, Web

After creating several sites using several CMSes, one single thing still annoys me: the lack of a proper export settings feature. Puting a local testing site in the official online server is always a nightmare, since we have basically try one of the options:

  • Copy the whole database: it also copy several testing data we used.
  • Step-by-step replication: After 3 days, you will still discovery several options that were not copyed
  • Manually select DB table-by-table to copy: unless you really know of are you doing, its quite crazy

In Drupal world, one of my most admired companies, Development Seed, created both Features and Strong Arm that try to address this, but the lack of broad and ubiquitous support we still feel that we will miss something.

settings_api_content_2095

There are 3 types of data that a computer program might have:

  • External: the spreadsheet for Excel, html to a browser, the image for Photoshop… its the reason why the program exists.
  • Internal: the data that makes the program works. It’s the settings.
  • Temporary: stuff that the program creates in order to gain performance. It, by definition, dont need to be backed up because the program can recreate everything

Every program that is a platform should provide a Settings API. It would help on 4 big scenarios

Local / Production

There are several situations that we need to maintain a testing site for development new features without testing in the really production site. But time to time, we are satisfied with the test results and we and to apply the modification into the production site. For some business, like 3rd party site development, its the daily job, so its a must to make this workflow faster and painless.

Debug

After installing several plugins, its each to get a very unstable site, because they are changing same data. It would be much easier to monitor modifications and find solutions. A settings comparison tool would be great, so we could see what were overwritten.

Distribution / Template

Platforms, by definition, allow us to build stuff over it. But quite often projects are similar. So why not create a template for other people to use it? For a site builder like Drupal, we could create eCommerce, Blog, Forum templates for a easy deployment. Its an extraordinary feature for new comers.

settings_api_content_2096

Stack

If the program is settings aware, a good extra feature is to apply in a stack. Its a similar concept of CSS, cascading settings based on specific variables. Imagine, for example, a site about football teams. While the site has a main theme, each team’s page can have one and the users can have a personal one. We could enabled this cascaded settings for each settings.

Multi dimensional settings

If we have different content types in a site (ex: static pages, forum pages and news pages), we could have a page to change all settings related to each content type and have a page to change a specific settings of all content types.
As we can see, settings is a very important part in a program. We have to think it with more care to leverage its potentials.

Data: storage, display and custom structure

Programming, Web

Creating GUI is no easy task. But creating GUI creators is a even more complex task. Almost a nightmare. But the long road walked by GUI creation programs, we already know somethings that are good and somethings that are bad.

Drag and drop

Quite a long time, desktop IDE’s acknowledged that letting developers to create GUI with some kind of drag and drop interface were critical. That were because GUI were less and less created by programmers but more and more by designers, that have little knowledge and patience to deal with programming code. It also facilitate the adoption by beginners.
### Designer-driven script
A too designer/beginner driven interface for creating GUI might also not be a good choice. The whole customization and generalization possible by programming is lost. Its too case-by-case development. Its not cost efficient. That’s why a middle term is needed. Some kind a language that is easy enough for designers but programmable. Drupal CMS uses the Form API, a PHP array that will be used to create HTML forms. Its quite easy to be used by newbies. I heard that QT is preparing some custom language for creating their UI too.
UPDATE (2010-10-03): Qt revealed QML.
data_storage_display_and_custom_structure_content_2100

“Lorem ipsum/123” preview

Most GUI element have a fixed set of parameters. But sometimes the GUI should be generated on the fly. Developing GUI like this is very try-and-error. To facilitate the creating phase, its important to be possible to see it working with some generic data.

Widget or data separation

The UI 101 rule is to separate the data to the layout. But it is important to let the users to chance any of them. For example, the user can enter his birth year by a textfield or a dropdown list, or some nice JS calendar. This example show how to change the widget, the GUI element. However, the user might need to change the data type. If the birth year was originally text, the user might decide to change it to integer number. The challenge here is to convert saved data. But for most cases, it is feasible.

data_storage_display_and_custom_structure_content_2102

Context

Developers of both desktop and internet applications are experiencing a quite interesting phenomenon: the same application must have several outputs, like netbook version or mobile sites. With the rise of HTML5, sites now might need multiple different outputs. Also, we must have different outputs when we are creating, viewing or update content. The concept of multiple contexts might be anticipated by the GUI creators.

Custom data structures

Integers, float numbers, strings… all developers know these data types. But they know that in some cases it is needed a more complex data types; combination of primitives. Some programming languages have structures and objects to address this idea. But GUIs can also be the combination of multiple primitives. Imagine a “password_checker” GUI element that is, in fact, two form fields that will check if the user typed the password correctly or an “address” element that is in fact a group of *country, province and city* fields. Users might be enabled to create and edit these type of custom data structures.
UPDATE (2009-10-05): I just saw a issue posted against CCK module called State of the multigroup module. It has close relationship with this post. Curious is that it is more a hack than a core idea.

Woman filling out form, close-up

Woman filling out form, close-up

Query builder and Drupal Views

Programming, Web

Views is the most popular module on Drupal. Its not a coincidence: the ability to create custom lists on any Management System is critical. Views goes even beyond by creating a display API and enabling export some options to the end users.
I’m in fact really puzzled by the fact the Drupal next version, 7, does not integrate it into core. It IS a core module, by any perspective. Several administration pages should be designed as Views from the beginning and the whole DB schema data also should be redesigned to implement integration with that.
But I still see some features that Views could still implement.
The first is external data sources. Today we know that search huge amount of data is no easy task and Drupal core does it poorly. That’s why external programs like Solr, Sphinx are becoming more and more popular among Drupal masters. Views yet does a very little integration with those tools. The whole “query builder” should redesigned to control other data sources. Ideally, it could search on any known data structure. By plugins, it would be possible to search external feeds directly, or some web services’ data, like Twitter, Flickr and Facebook without replicating the whole data locally.
I hope the newly created version 3 implements such abstraction.

Game Engines Virtual War

Game, Programming

I simply don’t get the point when the game producers advertise the engine behind a game. Engine, for those are not familiar with, is the piece of software that deals the core functions in a game: 3D rendering, sound, network, etc. They usually say that their own home-made engine is capable of more graphics in the scene, with more details or more effects (mostly about the graphics power). But more than what?
game_engines_virtual_war_content
Unless the company license their engines as core business, like Epic’s Unreal Technology, Valve’s Source or id’s id Tech, there is absolutely no point on advertising it or even giving it a name but creating it some pseudo-credibility to the project.
game_engines_virtual_war_content_0

WOW!! Mafia 2 are going to use Illusion Engine!
Whadda heck is Illusion Engine?

These pieces of softwares are complex to create. However, there was a lot of people that were capable to create one from scratch. Today, there are several of them, with different purposes (some are for hookies, some are for 3D pros or only for FPS games) and different quality (some are slow, some have incomplete documentation or lacking of tools). But there are enough that it might be considered almost as commodity.

game_engines_virtual_war_content_1

Unreal Engine is, by far, the most popular among the big companies. Several best sellers were created using its tools and libraries. But dont even think about using it: it costs a fortune! So several companies had the same idea about position their own techs as as good as Unreal, but with a fraction of the price and making money with them.

game_engines_virtual_war_content_2
If you are looking for a game engine to start studying and – god helps – make your own game, there is really good ones that are cheap or completely free. Some are worthy to mention: Garage Games’ Torque, Blender/Crystal Space and Radon Labs’ Nebula Device.

Some good games came from they: Torque is quite inexpensive and it was used on the Penny Arcade Adventures; Nebula Device is completely free with the most permissive, the MIT license, and its behind Drakensang, which Im going to play really soon.
game_engines_virtual_war_content_3Why spend so much money (or manpower) on core technology instead the final product? Maybe thats way some many games suck.