Strong Password Enforcement

Modern web applications have a responsibility to prevent their users from using easily compromised passwords. I would also say that it’s in their best interest, although it’s certainly a trade off. Most people still don’t use password managers, so stricter requirements will lead to some people losing access to their accounts. Still though, forcing people to use even moderately strong passwords will help prevent account takeovers and all the headaches that go along with them.

I’ve compiled a list of some things I think all apps should do to enforce strong passwords. The thresholds you pick will depend on the security requirements for your system.

Rate Limits

Login attempts should be rate limited. While not strictly related to enforcing strong passwords, rate limits will enhance the effectiveness of the other techniques. Indeed, rate limiting is identified as an OWASP Top 10 security risk for APIs.

Minimum Length

Checking the password length is primarily an optimization for the next steps. I don’t believe in complex password rules, but it goes without saying that short passwords are easy to guess. Length is a cheap thing to check before we get into the more complex analysis.

Check Strength

Instead of complex password rules, we can use an algorithm like zxcvbn to evaluate the passwords. The idea here is to forgo annoying rules and instead focus on the complexity of the password itself. This has shown to be more user friendly and more secure at the same time.

Bonus: Pwned Passwords

Finally, you may want to block passwords that have been found in publicly exposed password lists. Troy Hunt’s Pwned Password API makes this very easy. There are some drawbacks of this that might be a none started for some applications — namely, your password change process now relies on a third party API. It’s also debatable whether globally blocking nearly a billion passwords is useful. Luckily, the API includes information about how many times a given password has been seen in breaches, so it’s possible to fine tune this as well.

Happy Birthday Frank

Our dog, Frank, is two years old today. According to Embark, Frank is a Lab, Catahoula, Fox Hound, Great Pyrenees, Boxer, Supermutt. We tell everyone he is a Lab-Catahoula because he is mostly a Lab, but looks and acts like a Catahoula Leopard Dog.

We adopted Frank in March of 2020 through Fetch Wisconsin Rescue when he was almost four months old. He weighed 25 pounds at the time. We don’t know very much about his first few months except that he was born in Louisiana and came to Wisconsin just under two week before we met him. (Now he’s 75 pounds and I try not to pick him up as much.)

His favorite things are going on adventures, being chased by other dog friends, and trying to steal sips of coffee.

We got Frank at the perfect time. Shortly after we adopted him, the rescue had to stop taking new applications because apparently everyone had the same idea back then. He’s been a great pandemic companion.

Automatically hide and show menu bar in full screen

I use full screen mode on my MacBook pretty frequently. Swiping back and forth between full screen apps has always been a workflow that just comes naturally to me. One downside is that I’ve always had to move my mouse to the top of the screen to show the menu bar in order to check the current time.

On the new MacBook Pros, full screen mode hides the notch by default. Where the menu bar would be is just black. You can have the menu bar show even in full screen mode though. I haven’t found a way to conditionally show the menu bar only on the MacBook display, but on my external displays there is enough screen real estate that I think I prefer having the menu bar always visible anyway.

From the command line:

defaults write NSGlobalDomain AppleMenuBarVisibleInFullscreen -int 1

Or from System Preferences, Dock → Menu Bar:

Yet Another 14″ MacBook Pro Review

Physically the new MacBook Pros look sturdier than the previous generation. I’ve seen them compared the last generation of PowerBooks. The new design is growing on me, but I wasn’t initially a fan of the bulkier look. One interesting side effect of the bigger case is that even though they are a bit heavier, they feel lighter than they look.

I don’t have much to say about the display or notch that hasn’t already been said elsewhere. The existence of the notch is a trade-off, but one that seems so obviously worth it to me. Getting uniform bezels in return for sacrificing part of the screen I rarely used is a win in my book.

I’ll miss the fourth USB-C / Thunderbolt port, but SDXC, HDMI, and MagSafe ports more than make up for it. I’m also glad we didn’t have to sacrifice charging over USB-C to get the MagSafe port back. At my desk I like to “dock” to an external display with a single Thunderbolt cable (where it’s unlikely anyone is going to trip over the power cable that is zip-tied to the underside of my desk). MagSafe is clearly superior for charging on the go, however.

Almost every app I use has been compiled as a Universal app at this point. I’ve heard from some M1 early adopters that setting up homebrew was a pain at first, but it works great now. Docker still requires Rosetta for some of the binaries, but I haven’t had any problems there either. It seems like so many developers are now using Apple Silicon computers that any apps that hadn’t been updated are in the process now.

I appreciate the return of real function keys more than I anticipated. (I’m regaining the muscle memory to mute/unmute and play/pause without having to look down at the TouchBar.) As a bonus, the Magic Keyboard with Touch ID works with these new machines as well. There was initially a weird trackpad bug causing gestures to stop working, but I haven’t had any problems in the past week.

Overall it’s a great computer. There are still a couple of rough edges related to the architecture change, but they’re quickly disappearing and I think worth dealing with in the short term.

Block Remote Content in MacOS 12 Mail.app

MacOS 12 and iOS 15 introduced Mail Privacy Protection, which is meant to prevent tracking pixels from revealing when and where you open an email. This is a good change that improves privacy for most people.

However, if you previously had remote content disabled in Mail.app on iOS or MacOS, it seems that you have to do it again after upgrading. By default, Protect Mail Activity is enabled, which allows remote content to be download, albeit in the background. If you want to fully block remote content, you have to disable Protect Mail Activity, and enable Block All Remote Content. This works in both iOS and MacOS.