ruby! rails! kids! oh my! … and other fun from terry heath
RSS icon Email icon Home icon

  • Bgtwt Open Source’d!

    Posted on September 30th, 2009 terry No comments

    After (I think) removing the passwords and everything else sensitive in the code, I’ve open sourced the code behind bgtwt.com.

    I’m not sure if it will get any patch submissions or not, but I figured with it being closed, it definitely wouldn’t. If you submit anything you’re proud of (you can find the code here: http://github.com/terrbear/bgtwt), and I like it, I’ll happily put it up on the site.

    You’re also free to copy the code and do whatever you want with it. I’ll attach the proper license in a few days.

    If you’re looking for a feature that would be awesome and want to start playing with Rails, I’d like to integrate acts_as_unvlogable into bgtwt.

    Uncategorized , , ,

  • Rails and OpenID: Start Your Engines

    Posted on September 4th, 2009 terry 12 comments

    (Apologies for the ridiculously lame title, but I laughed while writing it, so it stays.)

    If you care about your user’s security, and your time, it’s time you stop asking them for passwords. Storing user passwords and handling authentication offers a bunch of problems that have already been solved, and requires a lot of work to do it right.

    Think about it. If you’re storing user’s passwords in your database, you’ve automatically got sensitive information on your server. Maybe it’s just a College Football Pick ‘Em site, which stores nothing too important … until you store a user’s password. Let’s face it, most users don’t use a new password for every site, so if someone breaks into your server, you’re responsible if that information is lost.

    So, you’ve got to make sure your server’s security is up to date. Then, it’s still possible there’s a break in, or you have a malicious developer. So you have to encrypt the passwords. But not just encrypt them, because that would still be susceptible to dictionary attacks. You have to salt each password.

    What about brute force login attempts on your sign in page? Have you handled that?

    These are just some of the problems that you have to solve the minute you decide to store someone’s password.

    A better solution? OpenID. Below I’ll explain how to use my newly written (really repackaged) OpenID Rails engine, and you can be on your way to making the world an easier place to sign in.

    Read the rest of this entry »

    Uncategorized , , , , ,
Powered by WordPress
Designed by My Mobiles