My favorite thing about Pulp Fiction
is that every significant plot point occurs while John Travolta is on the toilet.
July 2009
66 posts
June 2009
25 posts
Password Masking: a good idea
This is the second in a series of two posts I’m calling “Dan Reacts to Nerdy Stuff John Gruber Links To.” Bear with me.
Web usability guy Jakob Nielsen thinks we should stop masking passwords (i.e., echoing • or * when characters are typed into password fields):
Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.
I’m not sure to whom Nielsen is addressing this call to action, but there isn’t much that web developers can do. Password masking happens in the browser: it’s required by the HTML 4.01 specification (and HTML 5 as well) that browsers obscure the contents of INPUT elements of type PASSWORD. So the best option open to web developers would be to use non-PASSWORD input fields for passwords; however, this practice would have far worse consequences.
For instance, when browsers see a PASSWORD field, they treat it differently from a plain old TEXT field: in addition to masking the characters, they also don’t include it in autofill, the feature that fills in common form fields for you. So if websites stopped using the PASSWORD input type in the name of usability, you might notice your password from one site being helpfully filled in for you on other sites. Worse, it would be ridiculously easy for a malicious site to grab your passwords, just by fooling your browser into autofilling a form or part of a form that you don’t know is there.
So the only way we could reasonably end password masking on the web would be for browsers to change. Either they’d have to ignore that part of the HTML spec or the spec would have to change too. But even if the entire web agreed to make this adjustment, it would still be a bad idea.
Security is constantly at odds with usability. Many if not most usability improvements have security implications, because making something easier for the legitimate user of a system usually also makes it easier for attackers. You probably don’t enjoy having to hit CTRL-ALT-DEL to log into Windows, for example, but that key combo is required because it’s impossible for software to intercept it (at least in theory), so you don’t have to worry about some malicious program or website faking a login screen and learning your system password. Similarly, ATM cards would be easier to use if they didn’t have PINs, but who wants an ATM card that anyone can use to steal your money? (I mean, other than all the idiots who let their banks issue these.*)
So finally, to bring this home, we mask passwords not because it’s a strong security measure, or because we’re worried about friends looking over our shoulder. It’s because we’re worried about the security camera behind the bank teller’s back, or the stranger walking past the window while we’re logging in, or a jealous coworker hitting our Back button when we’re away from our desk and copying down our webmail password, or a million other casual invasions that can’t be individually protected against.
Having to look at your hands instead of the screen while you type six to eight characters is a tiny sacrifice with huge advantages. And being able to type passwords correctly has always been a part of basic online literacy. So rather than changing everything to help the least-able users be negligibly less frustrated, let’s do this: nothing. Let’s have faith that users will get smarter. It’s been happening all along, ever since that first email you got from your grandmother.
*If you happen to have one of those incredibly foolish and insecure Visa debit cards, please don’t be offended. I’m not talking about you. Idiot.
Asshole 101
Here’s how far I am willing to go: I believe the iPhone will ultimately be judged a more important product than the original Apple Macintosh. Yes, I am dead serious. Just check back here in fifteen to twenty years to see if I was right. (Hint: I will be.)
Perfectly fine, if unoriginal, prediction. Yet those four unnecessary parenthetical words at the end instantly transform the tone of this piece from “inoffensive tech punditry” to “pompous asshole begging to be ignored.”
Seriously. Is there any phrase that shouts “Stop reading NOW” louder than “(Hint: I will be.)”? Even just the word “Hint:” is dripping with smug superiority.
Here, read it again without the appendix:
Here’s how far I am willing to go: I believe the iPhone will ultimately be judged a more important product than the original Apple Macintosh. Yes, I am dead serious. Just check back here in fifteen to twenty years to see if I was right.
Nothing wrong with that, is there? Now go back and read the version quoted above. See? Asshole. (Hint: I know everything so if you don’t agree with me you’re dumb and also you eat turds.)
Missed Connection Fan Fiction
Patty lit her second to last Virginia Slim and thumped down on the bed. The comforter was a flipped-around version of the curtains. Blue flowers on pink sky. Patty sighed once, then again, after she decided she deserved it. There was leftover Chinese in the fridge. Patty thought about that for a while. Mulled over the idea of cold broccoli in greasy peanut sauce. She lifted up her shirt and stuck a finger into the corner of her white Maidenform bra. She pulled out a tight, wet wad of crumpled hundred dollar bills.
“Canada,” Patty thought. “They use dollars in Canada?”
There was a knock on the door, quick and bitter. Patty leapt up, shoving the money back down inside her cleavage. She peeked through the curtains. Donald was holding Julie by her feet and dangling the little girl over the pool. Julie shrieked bloody murder while Donald cackled like late night TV.
Holy shit, people, why aren’t you following Liana?
Aha
You said something that contradicts an overgeneralization you never tried to make in the first place and I’m pointing this out because it somehow makes me feel better about my own ill-considered decisions of which I was never very confident and must therefore attempt to justify by belittling someone else who is already having a fairly shitty day even though we probably don’t disagree but if I take this opportunity to manufacture a conflict and pretend to win it through intellectual dishonesty I can feel like I suddenly have self-respect even though it just makes me look like a jerk to everyone else.
Please pity me in silence, because if you argued back I’d just make up something else you didn’t say to tell you you’re wrong about.
(This post is tagged: passive-aggressive douchey smartass)
Listen
This may be the most audaciously stupid song ever to hit the Billboard top 10: “Hocus Pocus” by Focus. 1971.
Contains parts for electric guitar, alto flute, accordion, and tenor yodel. The album it comes from also features a 23-minute-long prog-rock interpretation of the opera Euridice.
The lead vocalist and composer of this tune is a guy named Thighs. (OK, so he spells it Thijs. He’s Dutch. It’s still funny.)
Way to go, Twitter and NTT
Twitter just announced that they’ve talked their network host, NTT America, into rescheduling some planned downtime because of Twitter’s role in the Iran election protests, possibly in response to pressure from users:
A critical network upgrade must be performed to ensure continued operation of Twitter. In coordination with Twitter, our network host had planned this upgrade for tonight. However, our network partners at NTT America recognize the role Twitter is currently playing as an important communication tool in Iran. Tonight’s planned maintenance has been rescheduled to tomorrow between 2-3p PST (1:30a in Iran).
Our partners are taking a huge risk not just for Twitter but also the other services they support worldwide—we commend them for being flexible in what is essentially an inflexible situation.
I’ve criticized Twitter before, but this is a quality move. It’s nice to see that tech companies don’t need a catchy motto to do the right thing.
Listen
“The problem here is, at some point before 2012, if [Palin]’s a viable candidate for anything other than what she has now, does she not have to render herself capable of intellectual thought on a national level, and more so, does she really have to stay away from a guy who—I mean, even the idea of being reminiscent of the writings or the sayings of a guy who might be her rival, as odd as that might seem to say out loud, for the 2012 nomination—in Gingrich?”
—Keith Olbermann to Lawrence O’Donnell, 6/8/09
The problem here is, Keith, that your question, if you’re a viable candidate for speaking English, is it not just a random collection of sentence fragments, and more so, do you really have to speak in complete—I mean, even the idea of just adding a question mark to the end of a pile of pompous shite, as odd as that might seem to say out loud, for a guy who criticizes other people’s capacity for “intellectual thought”—gibberish?
Half a gram
Put less simply, food manufacturers are allowed to set their own serving sizes. No big deal, until the FDA decides to also let those manufacturers make a zero where there isn’t one. Specifically, if a manufacturer-determined serving size contains .5mg of Fat, they can call it 0mg of Fat. Legally. Absurdly. Insanely. Often the “low fat” version of a food is simply the original version of the same food, with a smaller serving size, one that allows the manufacturer to misrepresent the content with bullshit percentages like the one above. The FDA allows that, too.
In the case of the cooking spray above, I assume it’s nothing more than canola oil. Canola oil contains both fat and calories.The manufacturer has simply made a serving size so small that they can legally claim there’s neither per serving. Has anyone ever coated a frying pan with a 1/4-second spray? Hell naw. You probably spray for a good 2 seconds at least. So assuming there’s actually .5mg of Fat in a 1/4-second spray, that means there’s 4mg in a 2-second spray. Magically, this product now contains fat.
Next time you see “ZERO TRANS FAT!” on a label, look underneath it. If it’s followed by a tiny “per serving,” it’s horseshit 100% of the time.
Exactly right, except for one tiny detail: the threshold is 0.5 grams per serving, not milligrams. Half a gram isn’t a lot, but it’s not zero. As you point out, it behaves a lot differently from zero when multiplied by other numbers. The cooking spray example is the most egregious, because it allows a product which CONSISTS ENTIRELY OF FAT to be labeled “fat free.” (I’m pretty sure they don’t even have to say “per serving” when they use words like “free” or “no” but I need to look that up.)
This made me so angry a few years ago that I registered the domain halfagram.org, with the intent of posting photos of half-gram quantities of various things (fat, sugar, salt, arsenic) to help people understand this ridiculous loophole. Then I forgot about it. If anyone’s interested in helping, I’d love to revive the idea.
Listen
“It Just Might Be a One-Shot Deal” by Frank Zappa, from Waka/Jawaka (1972; Wikipedia, Amazon). 04:17
Some slightly more accessible Zappa for you and yours. If you’re in a hurry, fast-forward to around 01:45 for the killer pedal steel solo by Sneaky Pete Kleinow.
Twitter Power User Pro Tip++
Wanna know if someone follows someone else? Enter this in your browser’s address bar:
http://twitter.com/friendships/exists.html?user_a=biz&user_b=ev
Unmodified, this URL will tell you whether @biz follows @ev. So replace their names with those of the people you’re stalking interested in. You’ll get back a page containing the single word “true” or “false.” Neat, huh? Now go bake me a pie.
sniff
sniffsniff
sniffsnufflesniff
snufflesnuffleFACELICK
— The dog equivalent of date rape
On brain-searing
BoA: Beat of Angel (권보아)
So I’m cutting a commercial and there’s a guy in the next bay over cutting a music video for pretty Korean lady who goes by the name of BoA, for “Beat of Angel”. Which is funny to me for two reasons.
The second reason is that I can’t help but think of Bank of America, what with her capitalization scheme. Maybe only funny to me.
The music is not good and even worse seared into the side of a brain over the course of three days, 2 1/2-second looped sections at a time.
I’m by no means a pro, or even all that good at it, but I’ve done a fair amount of A/V editing for various work and personal projects, and “seared into the side of a brain” is far more apt than one might think.
My elementary school was down the street from an old lady who had gone deaf and couldn’t remember to disarm her burglar alarm when she got out of bed, so the siren was almost always going off during recess. It was a piercing tone that smoothly descended a fourth or so and then sawtoothed back up two times a second. But if you listened to it steadily for a few minutes, something would come loose in your auditory perceptual system and you’d start to hear the frequencies out of order. Now, as a fully adult-resembling person, when I hear that type of siren, it sounds broken to me. I have to concentrate to hear it properly.
That’s what editing is like.
It’s worse if it’s a song you enjoy—which if you selected it or if you’re editing your own performance, it probably is. At the beginning of the project, you’re excited because you can see how you want everything to flow, and as you piece it together you start to see your idea coming to life. Occasionally you’re surprised when a sequence works better than you thought it would, and those are the great moments.
But sooner or later, somewhere around the 300th pass over that one section that just refuses to tighten up, cracks start to form. You stop hearing the music, and the component tones and harmonies stop complementing each other and start sounding like ridiculous noise. You’ve scrubbed over one particular measure 20 or 30 times, trying to pinpoint the exact syllable of the vocal track that lines up with the edge of that snare hit, and now you’re unable to hear anything else. After a while, you can’t figure out why you ever liked this song in the first place. By holding it too closely, you’ve smothered something you loved.
Adam, I don’t know how you can stand it.
(For a perfect illustration of how repetition screws with perception, listen to the first five minutes or so of the Musical Language episode of Radio Lab. The “sometimes behave so strangely” part. It had been a year since I last heard this episode and that damn loop was still encoded in my brain.)
Dear newspapers
You know how you’re dying and stuff? And you know how a lot of you do that “Registration required” thing that keeps potential new readers from seeing your articles online without entering personal information, which is useless to you anyway because it’s pretty much all made up? And you know how none of your competition does that, except for other dying newspapers?
I’m sure I’m not the first to suggest this, but here goes:
HOW TO NOT DIE
- Stop that shit.
