Archive for the ‘Development’ Category

Newer Entries »

Should You Really Use Security Questions In Your User Account Management?

Friday, May 1st, 2009

I have just read the article on the Twitter employee account that has been hacked recently. According to the comments by the hacker in a forum he has only used social engineering to be able to answer the security question(s) on the Yahoo mail account that person has been using.

This article is not about blaming especially Yahoo because this is a common problem with most websites that are providing security questions to retrieve a lost or create a new password so it applies to other websites as well. I’m just using Yahoo as an example because the hacker (I wouldn’t even call him a hacker) gained access to a Yahoo account.

Yahoo currently allows the new user to choose between the following questions on the signup page:

What is your fathers middle name?
What was the name of your first school?
Who was your childhood hero?
What is your favorite pastime?
What is your all-time favorite sports team?
What was your high school mascot?
What make was your first car or bike?
Where did you first meet your spouse?
What is your pets name?

There are actually two security questions in another form if you’re using that one when signing up.

Do you think it is safe to use these questions?  If you’ve just got to know someone online in a chat or through a social network would you be suspicious if you’d be asked about your favorite pastime? I bet you wouldn’t. And I think you wouldn’t even remember that you used that answer for a security question for an account you have set up some years ago.

The main problem I see here is that if you have not given an alternative email address on signup you will immediately gain access to the user account and can begin reading and writing emails from that account (or whatever service is using that kind of ‘protection’).

In fact I have always refrained from using security questions at all on my websites. Of course providing this kind of “online account rescue service” surely saves you from many support requests. And I also understand that the larger the company the more password requests you’ll be getting which may put an immense strain on your support. But is this really a safe and secure method for re-gaining access to accounts? In my opinion it is not unless it is coupled with other features like cellphone verification via SMS or similar methods. If the user has provided an alternative email account most services will send the password reset information to that address so that in my opinion is rather safe.

For most websites however I still wouldn’t use security questions at all.

tweetthis-15

Tags: , ,
Posted in Development, Security | No Comments »

Must-Have Firefox Addons For The Developer

Monday, April 20th, 2009

Here is a list of Firefox addons for every web developer most of which I’m using almost daily. I can highly recommend any of these addons and I’ve been using most of them for a very long time.

Firebug

Nowadays I think I could just ask where you’ve been living for the past two years if you don’t know this must-have extension. Firebug allows you to debug your JavaScript code on your live website, to view and edit the HTML code and  CSS files on-the-fly directly for the current page and much much more.

Firebug also features am essential JavaScript console you can use in your own scripts for debugging and logging. Just check it out - it’s so essential that I won’t get into any more details here.

JSView

This cool addon adds a “JS/CSS” button to your browser’s status bar allowing you to see and view every single CSS and JS file that’s loaded on the current page. Sure - Firebug has the same feature, but using JSView actually makes this even easier than Firebug.

QuickJava

Quite often you have to check your own website to see if most of it still works if the user has JavaScript disabled. This addon adds to small buttons to your status bar which allow you to enable and disable both Java and JavaScript in your browser with one click. You still need to reload the page but this saves you from the tedious task of opening your browser settings each and every time you need to turn it off (or on).

HTML Validator

You should always make sure that your website contains only valid (X)HTML code and there is no easier way than installing this addon. This one also adds an icon to the status bar of your Firefox browser which is either a yellow warning sign, a green “ok” image or a red icon with a white cross indicating the validity of the code on the current website.

By double-clicking on that icon you are taken immediately to the source code view of the page including all of the warnings and errors that this addon has found in your code. Best of all - it checks everything offline, so it’s not sent to the W3C Validator and it’s very fast.

Live HTTP Headers

Sometimes you need to check the HTTP headers sent by your browser to the server or vice versa. This addon allows you to do just that and you can even apply regular expressions to the output so that you will only see what you are looking for.

Web Developer (Toolbar)

This is also a must-have addon just like Firefox which adds several features missing from your Firefox if you’re developing websites. Most often I’m using the “Find broken images” feature although this is just a very small part of this mighty tool.

ColorZilla

Sometimes you need (or want) to know the specific hexadecimal color code of a specific color on the website you’re currently on. ColorZilla adds a color picker to your browser and allows you to copy the color values directly to the clipboard so that you could insert it in your CSS file (that is what I am using it for most of the time).  And it still offers even more features that that.

MeasureIt

Draw a ruler to measure the width and height of any object on the current page.

SearchStatus

Would you like to know the current PageRank of the current website or the Alexa rank? This addon also offers additional features such as highlighting “nofollow” links and easy access to WHOIS and robots.txt information for the current domain.

SEOBOOK SEO  Toolbar

This is your ultimate SEO addon as it integrates as a toolbar into your Firefox browser and shows you almost anything of interest regarding SEO on any website. You can directly see the PageRank, Yahoo! backlinks, Yahoo! indexed pages, whether the current site is listed in the Open Directory Project (DMOZ), in the Yahoo! directory and so much more. You can even see the approximate age of the domain according to the first version indexed by the Internet Archive.

If you know any other cool addons for a web developer I would very much appreciate your comments and feedback.

tweetthis-15

Tags: , ,
Posted in Development, SEO | No Comments »

Google Introduces New CAPTCHA

Sunday, April 19th, 2009

Sometimes on the web you’re just thinking “Why the heck didn’t I have that idea?” and that’s just what happened when I read this article on CNET. Everybody should already be familiar with the CAPTCHA concept and I recently had to enter a CAPTCHA code for three times because the first two were simply non-decipherable. Actually that problem occured on a Google page.

I have developed my own custom CAPTCHA about two years ago where you have to identify the male person on the image and enter the corresponding code under the face with some random parameters added:

ttt-imagephp

However Google’s method is superior yet so simple because they only rotate an image. Rotation can be detected by a human easily yet not automatically by your usual automated spam bot. Maybe I’ll change my CAPTCHAs to this method as well - even far easier to implement.

The full details of Google’s new method can be found in this PDF file.

tweetthis-15

Tags: ,
Posted in Development, Security | 1 Comment »

Newer Entries »