A different approach about passwords in registration forms

With the hacked of Gawker Media sites and the release of a list of users and passwords stored on the sites, people all over the Internet started reacting to the news and offering techniques on how this can be resolved.

Some of the proposed techniques include getting rid of the user database implemented on many websites and let an external application handle the customer login using credentials from others sites like Twitter, Facebook and OpenID. In my personal opinion, I really don’t like any of these mechanism because I really don’t trust these companies. Your could argue that they might have better protection than some guy’s new web service that just launched in 30 days to test an idea. Maybe it’s true, but also this guy might have a better mechanism to prevent this kind of leaks than the big companies.

Also, I think it’s not true that having a single point for user authentication is going to resolve the whole issue. Compare it with credit card fraud. Do you think you can solve the credit card theft problem by just having ONE card with a $300,000 limit than having multiple cards with, say $5,000 limits? If someone steals one of the cards, you only loose the 5,000. If you someone steals your ONLY card, you might loose $300,000 and you’re left with NO card. This is call spreading the risk.

A different approach that we use on our sites is to generate a random and strong password automatically for the user and send it to their email. We give them access to what they’re requesting on the site with just entering the email (and other information if necessary) and then email them the password generated. When they decide to come back to the site, they used the autogenerated password. They can change it if they want, but we took that step out of the funnel (guessing and thinking what password to put on) and just let them proceed to perform the requesting transaction and letting them now in an email how to continue using our sites in the future with their new strong password.

Why application localization should start in the design stage

When I start developing and throwing out code, I can tell you I’m too concentrated in the features and how I want things to work out. Always testing and debugging and running around different possibilities in my head on how that piece of code could go wrong.

When writing elements on the interface, I just tend to place the needed controls or the html tags on web pages and add the labels to the respective controls. The labels just pop out of my head without even noticing what I’m writing. Most of the time I’m just thinking how the feature is going to work with the control.

So, when your application is finished, features are implemented, and then we begin with the cosmetic work. This is when the problem arises. If you intent is to offer your application in multiple languages, then localizing the controls and html pages is not part of the cosmetic work. The only way to localize your app when all the labels are hard coded is to make a copy of the web page or control, with the same code, and start changing the labels manually.

That’s why I always have a localization strategy before beginning throwing out the code. Even if you decide how the language engine is going to work after you’ve hardcoded the labels, the simple task of changing them to the variables is exhausting. After months of going through this process with some applications that didn’t have a localization strategy, I’m stilling finding hard coded labels.

Here are some simple strategies I’ve used:

1. Desktop applications (server side): I always try to save the labels on the database repository of the application. Using this technique, I can add languages and modify labels without having to compile the application. Sometimes, developers embedded the label files in the executable itself, the drawback with this technique is having to recompile for adding new languages. With the database option, you just have to create generic functions to get labels out of the repository. I usually have four special fields for identifying the label: the screen or page, the name of the control, the language and the label value. It’s easy to find labels for a specific screen or page this way and save them on memory. Just one query to the database.
2. Desktop applications (client side): I don’t like very much this technique, storing language files in the application local folder. For me, it seems prone for failure: what if the user deletes the file, what if the user opens the file and changes the labels, etc. If you need to store files on the hard disk, try to encrypt them and have some default language embedded in the app executable just in case the language files are deleted.
3. Web application (server side labels): Again, the labels are stored in the database as in the previous technique, although some complications might arise. Remember getting a label value involves making a query for three fields in the database: the page, the language and the control. You might be able to make a function that gets all labels for a page and dynamically find the controls and assign the labels, but I always find it difficult to loop for controls in the page. On our projects I use the Custom Expression Builder functionality from ASP.NET. I’m able to assign the label in the HTML page and dynamically the .NET Framework detects the page and the label is passed as a parameter and then goes to the backend database to get the information. This way there’s never a hard coded value in the HTML. The only issue is that every label is a different request to the database. For one page with 20 labels and a thousand users seeing the page it comes to 20,000 queries to the DB for labels. What I did in this case is to implement a caching mechanism to store the label values in a file on the server. First I check the cache, and as a second option go to the database. Labels do not change that frequently, so the cache can last for a whole day without any issues. This is the technique used on all our websites (SkyXoft, RequestSpot).
4. Web Application (client side): This is the technique used on our request and task management software. All labels are stored in javascript files (one for each language) defined as constants. In the application, on HTML pages, using some simple jQuery I then refer to the constant and assign it the html element in question. It is fast and simple. I determined the language on server side and include the javascript library (the script tag) in the html.

Any of these techniques should be enough for localizing an application. The most important issue here is to plan for language support before coding starts. Doing it afterward is a never ending work. Hidden hard coded labels appear every day.

If you want more information about the code we use or you have any other technique for localization, let me know in the comments.

Software updates or software interruption

I’ve been trying in last few months to reduce the level of interruption I get while working. When I really get focused on doing things, I can achieve level a of productivity that sometimes is difficult to get.

Somethings I’ve done include turning off Outlook email notifications, not entering twitter and avoiding as much as possible using Instant Messaging while totally focused. The findings have been great. It turns out not all email needs to be answered immediately (it’s even better if you wait as you can think of a better response). Also twitter can wait, I can answer messages using the same system as with email.

Although I’ve diminish to the most these kind of interruptions, there are some that have been impossible for me to achieve, or even block, and those are software updates.

It’s unbelievable the amount of popups I get asking to install updates for this and updates for that. For example:

1. Windows: Every week there’s something new that needs to be updated. Some security patch or software update or component. The great thing about these updates is that the computer needs to be restarted. There’s no single or small update that doesn’t. Since I start hearing the hard drive screaming and I notice the update icon on the clock bar, I start sweating right way. I start planning to stop what I’m doing, or what  if I get up to take a glass a water and find Windows has already restarted the computer for me (thank you) when I comeback and I’ve lost whatever I was doing.
2. Adobe Reader: Really? Adobe Reader needs that much updating? Last week I had it and went to their site to check what was being updated. Like 70% of the list is made of security updates. Yes, security updates. Is Adobe Reader that hackable?
3. Apple: Yes, I have to generalize here. This little Apple window opens up every time one of their products needs an update. I’ve manage myself to meeting some of the Apple product line up by this update window. I have installed some Apple products I didn’t even know of, and yes, all of them requires me to restart my computer.
4. McAfee antivirus: I know, this needs to be updated to refresh the virus list, but the core software? In the last couple of months I received like 3 major updates to the core and if I don’t restart the computer it starts pooping out messages that I might be at risk. I turned off the whole thing and still keeps popping out messages of risks and restarting. Come on!

In conclusion, keep in mind when developing software to:

• Be gentle when asking to upgrade.
• Try to make it at least once a month (if possible once every quarter).
• Avoid restarting the machine once updates are installed. This is an architecture issue, it’s possible to do it.
• If a restart is needed, just ask me once. I know how to read.

PS. Windows updates have asked me thee times to restart the thing while writing this post. So long, I have to restart.

What software update annoys you the most?

Are you asking your customers to like you or follow you?

What ever happen to getting to know each other? Those early conversations about what you do, what are your plans and helping me out with one thing or another?

It seems all that is gone by now. Yesterday I received an email from a vendor which we bought a software product about two years ago. The subject said something about their social media sites. When I read the email, they were simply sending a link of their twitter and Facebook site asking me to click on the link and follow them or to just like them. I just though, what? Just like that? I though about running into a high school friend that I haven’t seen for a few years and all of the sudden telling me: hi Jose, how are you? hey there’s something I wanted to tell you…do you like me? eehhh, mmmm, what was your name again?

So, this is email isn’t far from that story. I sometimes complain about some vendors, specially in the tech sector, that once you buy their product, you don’t hear about them never again. This was one of those cases. I haven’t heard from them since two years and now I receive this email asking me to like them.

Sincerely. Not cool software company, not cool.

Try always to have some kind of conversation. These are somethings you could do:

1. Send valuable things about you, your industry or about the product. How about that feature long hidden in the product?
2. What other customers are doing for the product.
3. Tips about what other things i can do with the product.

The point is to establish some kind of conversation, but don’t start sending me emails asking me to like you. It’s just too soon for me.

What are you doing to get your customers to like you?

Why having a business blog is a good idea

Today there are several mechanism available on the Internet to reach your clients and everyday seems to be more. But I still consider business blogs to be one of the best ways to really communicate the audience what your business is about.

Other venues get you to interact with clients, get to know them and they get to know us (sometimes maybe too much) but you can’t get an idea out there in 140 characters. That’s why your blog should be your command center for transmitting and developing your thoughts. Consider this:

1. Twitter is great way to get to customers and them to you, but with the 140 characters limit, it’s pretty difficult to express ideas and be sure they got the right impression.
2. Facebook fan pages are also very good, but still you can’t get an idea elaborated with wall posts. Although you can do some very good branding.
3. Elaborate the ideas and thoughts on your blog and point to your posts from these social media sites so you can start real conversations with customers and potential prospects.
4. Starting a blog now days is pretty simple, just go to WordPress or Blogger which are pretty good. Personally, I would recommend WordPress, the management is very easy and with the vast variety of plug-ins available nearly everything is possible without having to be so technical.

What are you using to express your ideas?