-
One consequence of always having to chase the shiny new thing is that often good programming practices are not center stage. Robert Martin speaks of this in .Net Rocks and he also has a blog post where he says this continuous relearning requires massive amounts of time and effort and does not pay off very well in terms of extra productivity.
As a contractor though, I think you need to “ride the waves”. The highest paying gigs are always on the shiny new thing…
-
The Churn post was posted here previously, here is the discussion: https://lobste.rs/s/1pylbt/churn
-
Unfortunately not. And it’s not recommended.
https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
That’s not really a fair criticism since what Troy’s article says is that making people pick passwords with, for example symbols, does not necessarily improve security, e.g. “P@assw0rd” is not much better than “Password”.
However that doesn’t change the fact that if more symbols are used than just letters the search space that an attacker has to go through is larger.
The post is from the point of view of what hoops an attacker has to go through to get to a password, and about what developers should do to make that as hard as possible.
Troy’s post is from the perspective of the user who has to pick a password and how restrictions such as having to use numbers and symbols or not being able to copy and paste do not lead to users picking better passwords.
Adding characters is far more effective at increasing the state space than expanding the alphabet. For example, assume you have a 10-character alphanumeric password; that’s 62^10 = 59.5 bits of state. If you add some special characters to your alphabet (let’s say eight of them), you’re up to 70^10 = 61.3 bits. If you add a single alphanumeric character, for 11, you now have 62^11 = 65.5 bits.
Alphabet is, for most intents and purposes, a complete waste of time. Passwords need to be longer and not in known dictionaries. Any other requirement is between useless and actively counterproductive.
It was never suggested that using symbols should be a requirement. The only suggestion in the post regarding this matter is that a password manager should be used.
Also, there were no suggestions about password lengths other than longer passwords are better than shorter ones, and the more character types the better. All of that is all true irrespectively of the discussion about making symbols in passwords be mandatory.
I agree that that type of requirement is counter productive, but I don’t see how the post has anything to do with that.