Two-factor authentication is not the solution to the inherent flaws of password-based security

Uh, I really don’t have much more to say than that.

OK, maybe a bit. As a web developer working in client services, at least once a week I am confronted with the situation of having to log into a client’s account for something… MailChimp, GoDaddy, etc.

Many of these services have switched to 2FA-by-default, which I agree is more secure than plain old passwords (which I bet some of them still store in their databases as clear text). But 2FA is a pain in the ass. Especially when you’re in my position, and the phone number or email address that receives the one-time authorization code belongs to the client, not me.

Any time I need to log in, it requires coordination with the client to be sure they’re available to pass along the code to me. Which is just stupid.

Fortunately a lot of these companies have realized how common this kind of situation is, and how it’s a valid scenario, and they’ve worked around the limitation by creating “teams,” so clients can add me to their account as my own separate user, with my own login credentials, and my own 2FA.

But it’s still a pain in the ass. And not every service offers it. For example, MailChimp used to allow up to 3 users, I believe, on their free accounts, but now it’s just one. Of course, of course. Just pay for the service, right? Well sure, but service providers with a free tier imposing such a ridiculous limitation on that free tier as a way to upsell the paid tiers is kind of self-defeating. “Hi, we’re creating a crappy experience for you, and that’s the only experience you’ve known with us. But if you start paying us, we’ll make it not-crappy. We promise!” OK.

But it’s not really MailChimp’s fault. It’s that 2FA sucks. It’s more secure than plain ol’ passwords, but it’s even less convenient.

And while I’m ranting futilely, why do we even need security at all? Because people suck, period.

While I was writing this, I was waiting for a client to send me a 2FA for MailChimp. I’m in! And fortunately, this particular client is on the paid tier, so I was able to add myself as a user. A process which involved… wait for it… a CAPTCHA! (Time for another rant.)

New WordPress plugin: Remove Broken Images

If you have a WordPress blog dating back many, many years, and you’ve just completed a massive cleanup of images from your Media Library, or if you just have any other reason why there might be a bunch of <img> tags in your blog posts that no longer go anywhere, you may be wondering if there’s an easy way to just, you know, have those annoying broken image icons not show up all over your pages.

Now there’s a way!

OK, actually there already were a few different ways, via free plugins, but as is so often the case with a lot of these types of small, single-purpose plugins, I find they’re almost always either really clumsily written, overloaded with unnecessary features, or both.

So I wrote my own.

This plugin couldn’t be simpler. It assumes that you just don’t want to display broken images — whether that’s the ugly little “missing image” icon some browsers display, the large outlined box containing an ugly little icon and the missing image’s “alt” text, or just a big blank white space. It doesn’t have an option for showing a different, placeholder image. Because, let’s be honest, that doesn’t look good… especially if you have more than a few of these to deal with. Having the same placeholder appear all over your site looks as bad as having broken image icons everywhere.

The plugin relies on the JavaScript error event, and uses some very compact jQuery code to remove any <img> tags that trigger the error, and their containing link and caption element, if present.

The end result is a clean looking blog with no indications whatsoever that anything is missing. Unless the text of your blog post describes the image in excruciating detail. In that case… you’ll just have to wait for version 2.

You can download Remove Broken Images right now from the WordPress Plugin Directory.

Just another Halloween…

So last night a kid who honestly was probably too old to be trick-or-treating said, “thank you SO much” very sarcastically when I dropped one small piece of candy into his pillowcase and it stuck very conspicuously near the top, so it was obvious how little I gave him.

I immediately had negative thoughts about his reaction, but I had nothing to say because honestly, he was right. It was pretty stingy. But the problem was, we only bought one bag of candy this year, not knowing how many kids to expect, and it turned out to be a busier-than-usual year. (Most years we buy 2-3 bags and have 2+ bags’ worth left over at the end of the night.)

I started the night giving each kid 2 pieces, but I quickly realized that at that rate I was going to run out before 7 PM, so it was time to dial it back.

So yeah, I guess I deserved to get called out by a snotty 13-year-old for my less-than-copious candy offerings. Some people might say kids shouldn’t act so entitled but honestly, this is part of the social contract we agree to when we decorate the front of our house and turn on the porch light on October 31. Kids are going to come to our door for the express purpose of us putting a reasonable amount of candy into whatever receptacle they happen to be carrying, and one “fun size” Twix is not a reasonable amount.

On a more positive note, not only did it feel like a “normal” year last night, but SLP and I even managed to watch both Halloween and The Shining in their entirety, without falling asleep. (Well… she may have dozed off briefly around the time Dick Halloran was sensing the call to leave his Miami retreat.)

The day Facebook performed seppuku

I don’t have much to say about all of this, other than that I would probably, yes, be posting this on Facebook if it were affecting literally anything else in my known realm of existence.

Today Facebook killed itself. But its undead corpse will surely rise again.

The problem is some kind of colossal DNS snafu, which has, for all intents and purposes, temporarily caused facebook.com to cease to exist.

Ah… the air somehow smells fresher today. The water tastes better. The sun shines brighter.

But I know it won’t last.

Anyway… today’s the day it happened. Here’s some more in-depth information from Ars Technica which hopefully will not disappear down the Memory Hole anytime soon.

Update: This Cloudflare blog post probably provides the definitive explanation of what happened.

Hall and Oates vs. Tears for Fears? This is happening?

I got up early this morning to do some server maintenance, but as I was sipping my coffee and absentmindedly glancing at Twitter, I noticed that Tears for Fears — one of my favorite bands from the ’80s — was trending.

Half the time, when someone’s trending, it means they just died. With a band, hard to say. But it’s definitely a coin toss between something tragic or something completely irrelevant outside the warped world of Twitter, and in this case, it was the latter, in the form of a tweet asking people to pick between them and Hall and Oates.

Well, of course I had to get in on this. Below is a lightly edited version of the tweet thread I produced on the topic.

I have to guess from the fact that Tears for Fears are trending but Hall and Oates aren’t, that more people prefer Tears for Fears. Oh, where do I begin?

First, yes. Hall and Oates.

I love both, but they can’t really be compared.

Second, anyone who is even inclined to make the comparison is apparently unaware of a thing called “the ’70s”.

Hall and Oates had already accomplished more in the ’70s than Tears for Fears ever did, and they hadn’t even gotten to the stuff they’re best known for.

That said, Songs from the Big Chair is one of the absolute best albums of the ’80s, and is probably better than any album Hall and Oates produced in that decade. Probably. I mean, Private Eyes, H2O and Big Bam Boom are all amazing, but inconsistent. Big Chair is a cohesive work.

Still, if you compare by any criteria: number of big albums, number of hit songs, length of their “relevant” period, the wide range of their appeal (I didn’t even get into that), Hall and Oates have to come out on top.

Which group do I still listen to more now, though? It’s kind of a toss up. I have both Private Eyes and Songs from the Big Chair on vinyl and they are spinning frequently, but on Spotify I probably listen to Tears for Fears more.

Bottom line: two things.

  1. Comparisons are stupid.
  2. Both of these bands are amazing and if this stupid comparison gets more “young folks” to check them out, that is, as we said in the ’80s, awesome.

And in conclusion, please watch… this video of my favorite Tears for Fears song.

You should also watch Rick Beato’s awesome “What Makes This Song Great” video about it.

P.S. OK, yes I had forgotten initially that they actually toured together this year. I haven’t really been ready to go to a crowded concert venue yet, plus I didn’t hear about their stop here until about one hour after it started!