Two-factor authentication is not the solution to the inherent flaws of password-based security

Uh, I really don’t have much more to say than that.

OK, maybe a bit. As a web developer working in client services, at least once a week I am confronted with the situation of having to log into a client’s account for something… MailChimp, GoDaddy, etc.

Many of these services have switched to 2FA-by-default, which I agree is more secure than plain old passwords (which I bet some of them still store in their databases as clear text). But 2FA is a pain in the ass. Especially when you’re in my position, and the phone number or email address that receives the one-time authorization code belongs to the client, not me.

Any time I need to log in, it requires coordination with the client to be sure they’re available to pass along the code to me. Which is just stupid.

Fortunately a lot of these companies have realized how common this kind of situation is, and how it’s a valid scenario, and they’ve worked around the limitation by creating “teams,” so clients can add me to their account as my own separate user, with my own login credentials, and my own 2FA.

But it’s still a pain in the ass. And not every service offers it. For example, MailChimp used to allow up to 3 users, I believe, on their free accounts, but now it’s just one. Of course, of course. Just pay for the service, right? Well sure, but service providers with a free tier imposing such a ridiculous limitation on that free tier as a way to upsell the paid tiers is kind of self-defeating. “Hi, we’re creating a crappy experience for you, and that’s the only experience you’ve known with us. But if you start paying us, we’ll make it not-crappy. We promise!” OK.

But it’s not really MailChimp’s fault. It’s that 2FA sucks. It’s more secure than plain ol’ passwords, but it’s even less convenient.

And while I’m ranting futilely, why do we even need security at all? Because people suck, period.

While I was writing this, I was waiting for a client to send me a 2FA for MailChimp. I’m in! And fortunately, this particular client is on the paid tier, so I was able to add myself as a user. A process which involved… wait for it… a CAPTCHA! (Time for another rant.)

New WordPress plugin: Remove Broken Images

If you have a WordPress blog dating back many, many years, and you’ve just completed a massive cleanup of images from your Media Library, or if you just have any other reason why there might be a bunch of <img> tags in your blog posts that no longer go anywhere, you may be wondering if there’s an easy way to just, you know, have those annoying broken image icons not show up all over your pages.

Now there’s a way!

OK, actually there already were a few different ways, via free plugins, but as is so often the case with a lot of these types of small, single-purpose plugins, I find they’re almost always either really clumsily written, overloaded with unnecessary features, or both.

So I wrote my own.

This plugin couldn’t be simpler. It assumes that you just don’t want to display broken images — whether that’s the ugly little “missing image” icon some browsers display, the large outlined box containing an ugly little icon and the missing image’s “alt” text, or just a big blank white space. It doesn’t have an option for showing a different, placeholder image. Because, let’s be honest, that doesn’t look good… especially if you have more than a few of these to deal with. Having the same placeholder appear all over your site looks as bad as having broken image icons everywhere.

The plugin relies on the JavaScript error event, and uses some very compact jQuery code to remove any <img> tags that trigger the error, and their containing link and caption element, if present.

The end result is a clean looking blog with no indications whatsoever that anything is missing. Unless the text of your blog post describes the image in excruciating detail. In that case… you’ll just have to wait for version 2.

You can download Replace Broken Images right now from the WordPress Plugin Directory.

Just another Halloween…

So last night a kid who honestly was probably too old to be trick-or-treating said, “thank you SO much” very sarcastically when I dropped one small piece of candy into his pillowcase and it stuck very conspicuously near the top, so it was obvious how little I gave him.

I immediately had negative thoughts about his reaction, but I had nothing to say because honestly, he was right. It was pretty stingy. But the problem was, we only bought one bag of candy this year, not knowing how many kids to expect, and it turned out to be a busier-than-usual year. (Most years we buy 2-3 bags and have 2+ bags’ worth left over at the end of the night.)

I started the night giving each kid 2 pieces, but I quickly realized that at that rate I was going to run out before 7 PM, so it was time to dial it back.

So yeah, I guess I deserved to get called out by a snotty 13-year-old for my less-than-copious candy offerings. Some people might say kids shouldn’t act so entitled but honestly, this is part of the social contract we agree to when we decorate the front of our house and turn on the porch light on October 31. Kids are going to come to our door for the express purpose of us putting a reasonable amount of candy into whatever receptacle they happen to be carrying, and one “fun size” Twix is not a reasonable amount.

On a more positive note, not only did it feel like a “normal” year last night, but SLP and I even managed to watch both Halloween and The Shining in their entirety, without falling asleep. (Well… she may have dozed off briefly around the time Dick Halloran was sensing the call to leave his Miami retreat.)

The day Facebook performed seppuku

I don’t have much to say about all of this, other than that I would probably, yes, be posting this on Facebook if it were affecting literally anything else in my known realm of existence.

Today Facebook killed itself. But its undead corpse will surely rise again.

The problem is some kind of colossal DNS snafu, which has, for all intents and purposes, temporarily caused to cease to exist.

Ah… the air somehow smells fresher today. The water tastes better. The sun shines brighter.

But I know it won’t last.

Anyway… today’s the day it happened. Here’s some more in-depth information from Ars Technica which hopefully will not disappear down the Memory Hole anytime soon.

Update: This Cloudflare blog post probably provides the definitive explanation of what happened.

On Simplicity, Complexity, and/or Bad Design

When I was first starting out in my career and I’d encounter a complicated system I couldn’t understand, I blamed my own inexperience.

Mid-career, I started to realize that, no, a lot of systems are just really poorly designed, and I was experiencing cognitive dissonance, trying to find a complex and subtle logic where there was none.

Now as I’m entering (eek) the late stages of my career, I’m experiencing those systems in a third way that I’m still trying to comprehend. It’s not specifically that they’re badly designed (though they may be). It’s that they’re necessarily convoluted because they’re trying to model an inherently convoluted human process.

No matter the skill of the developer, sometimes it’s just impossible to translate the messy, inconsistent, illogical, organically assembled, internally conflicted and occasionally politically-motivated* ways humans concoct to complete a task, into a simple, intuitive program.

Anyway… I just spent a half hour trying to make a little bit of sense of a system that had a clean and modern interface, but one that concealed an unbelievably arcane, niche-specific database model. Now my brain hurts.

*By “politically-motivated” I’m talking about internal politics within an organization, not government-level politics.