![]() One year I decided to file the SS Payee Report through SS's website. I am guardian of a person with severe mental illness. If you come back to that with "well maybe google/facebook/etc will fuck up, because I don't know exactly what they're doing, and I bet I can do better" as an excuse for rolling your own, then you also probably shouldn't be dealing with passwords.Ĭlick to expand.I've also run into things like that. ![]() And if you come back to that with "OAuth is hard" then you have even less business dealing with passwords in any form. ![]() Use OAuth and a few common large services, figure out the tokens, store those. My own advice: any time you can avoid dealing in passwords yourself, do it. If whatever method you're using involves more than you setting up the connections for it, and encryption and security aren't your primary professional focus, you're probably in over your head, and you're probably going to fuck it up in some way that won't be obvious to you, but will introduce critical failures in its ability to actually provide security. General rule of thumb with encryption, coding, and information security: You should be hoping it doesn't already go too fast. And ironically it's never relevant for passwords, when comparing any decent libraries to more specifically tuned optimizations, in the "does it go fast enough" sense. Nor is it generally relevant in modern coding scenarios. Some of this is predicate on old fears with regards to performance and optimization for a particular use case, versus something written to cover a majority of uses-but none of that is relevant for anyone finding themselves in this situation who is also not a topic expert (no, your cursory glance through a wiki article doesn't count). Even before we get to the part where these people are so bombastic as to think that no one else could either possibly do it better much less possibly know something crucial which they're not themselves aware of. Sometimes there's the bizarre concept that figuring out how to leverage someone else's library/module is going to be more painful than just hacking something out (oh, I'm sorry, elegantly coding a masterpiece). There are absolutely ridiculous things that get done because some developers have a huge aversion to anything they didn't write themselves, even when that is, in essence, hypocritical (because are you writing your own compiler, standard libraries, and everything else too?). In all honesty, I think it's mostly because of NBH/NIH/NIMH (Not Built Here, etc), along with sometimes the concept that "it's just a password for my little service that's really a trivial service that barely even REALLY needs passwords, so it doesn't really need password security, but we're still going to do passwords for _reasons_". ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |