Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CodingHorror
CODING HORROR
programming and human factors
RESOURCES
About Me
@codinghorror
discourse.org
stackexchange.com
Recommended
Reading
Subscribe in a
reader
Subscribe via email
Coding Horror has been
continuously published
since 2004
23 Apr 2015
Traffic Stats
Copyright Jeff Atwood
2015
Logo image 1993 Steven
C. McConnell
Proudly published with
Ghost
http://blog.codinghorror.com/
1/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
2/47
26/04/2015
CodingHorror
3/47
26/04/2015
CodingHorror
4/47
26/04/2015
CodingHorror
2 minutes
10 characters
2 hours
11 characters
6 days
12 characters
1 year
13 characters
64 years
5/47
26/04/2015
CodingHorror
8 characters
1 minute
9 characters
2 hours
10 characters
1 week
11 characters
2 years
12 characters
2 centuries
That's a bit better, but you can't really feel safe until
the 12 character mark even with a full complement of
uppercase, lowercase, numbers, and special
characters.
It's unlikely that massive cracking scenarios will get
any slower. While there is definitely a password
length where all cracking attempts fall off an
exponential cliff that is effectively unsurmountable,
these numbers will only get worse over time, not
better.
So after all that, here's what I came to tell you, the
poor, beleagured user:
6/47
26/04/2015
CodingHorror
7/47
26/04/2015
CodingHorror
3 Apr 2015
8/47
26/04/2015
CodingHorror
9/47
26/04/2015
CodingHorror
10/47
26/04/2015
CodingHorror
11/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
12/47
26/04/2015
CodingHorror
13/47
26/04/2015
CodingHorror
14/47
26/04/2015
CodingHorror
No Money? No Security.
If all the best security researchers are working on
ever larger bug bounties, and every major company
adopts these sorts of bug bounty programs, what
does that do to the software industry?
It implies that unless you have a big budget, you can't
expect to have great security, because nobody will
want to report security bugs to you. Why would they?
They won't get a payday. They'll be looking
elsewhere.
A ransomware culture of "pay me or I won't tell you
about your terrible security bug" does not feel very
far off, either. We've had mails like that already.
15/47
26/04/2015
CodingHorror
because
The submitter is more interested in scaring you
about the massive, critical security implications
of this bug than actually providing a decent
explanation of the bug, so you'll end up doing all
the work.
The submitter doesn't understand what is and
isn't an exploit, but knows there is value in
anything resembling an exploit, so submits
everything they can find.
The submitter can't share notes with other
security researchers to verify that the bug is
indeed an exploit, because they might "steal"
their exploit and get paid for it before they do.
The submitter needs to convince you that this is
an exploit in order to get paid, so they will argue
with you about this. At length.
The incentives feel really wrong to me. As much as I
know security is incredibly important, I view these
interactions with an increasing sense of dread
because they generate work for me and the returns
are low.
16/47
26/04/2015
CodingHorror
17/47
26/04/2015
CodingHorror
28 Mar 2015
18/47
26/04/2015
CodingHorror
19/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
20/47
26/04/2015
CodingHorror
21/47
26/04/2015
CodingHorror
22/47
26/04/2015
CodingHorror
23/47
26/04/2015
CodingHorror
apply.)
Looking for a place to get started? Check out:
https://github.com/gjtorikian/markdowntutorial.
com and http://markdowntutorial.com/ by
Garen Torikian
https://github.com/chrisalley/commonmarkwebsite and
http://chrisalley.github.io/commonmarkwebsite/ by Chris Alley
If you want privacy, you can mail your entries to me
directly (see the about page here for my email
address), or if you are comfortable with posting your
contest entry in public, I'll create a topic on
talk.commonmark for you to post links and gather
feedback. Leaving your entry in the comments on
this article is also OK.
We desperately need a great place that we can send
everyone to learn Markdown, and we need your help
to build it. Let's give this a shot. Surprise and amaze
us!
9 Mar 2015
24/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
25/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
26/47
26/04/2015
CodingHorror
27/47
26/04/2015
CodingHorror
28/47
26/04/2015
CodingHorror
29/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
30/47
26/04/2015
CodingHorror
9 Jan 2015
31/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
32/47
26/04/2015
CodingHorror
33/47
26/04/2015
CodingHorror
34/47
26/04/2015
CodingHorror
35/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
36/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
37/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
38/47
26/04/2015
CodingHorror
And both can be kicked off directly from any page via
the Sign Up and Log In buttons at the top right:
http://blog.codinghorror.com/
39/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
40/47
26/04/2015
CodingHorror
41/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
42/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
43/47
26/04/2015
CodingHorror
http://blog.codinghorror.com/
44/47
26/04/2015
CodingHorror
45/47
26/04/2015
CodingHorror
Stu
I forgot
46/47
26/04/2015
CodingHorror
Page 1 of 279
http://blog.codinghorror.com/
Older Posts
47/47