Since 2010

Simple tips for security and serial numbers

Monday 10 August 2020

Seth Godin has some good tips for dealing with random-but-usable-by-humans strings and codes. It’s something I spent a bit of time on when building our wedding website: the codes needed to be mildly secure, but easy to enter.

The final solution, which doesn’t seem to have caused any issues, was a random selection of 6 characters from upper-case A–Z, minus “I” and “O”, plus digits 2–9:

choices = ('A'..'Z').to_a - ['I', 'O'] + ('2'..'9').to_a

When shown to humans, the codes are displayed as two groups of three characters:


But, the codes can be entered with or without the space, and will be accepted whether they’re entered upper-case or not:

Invitation.find_by rsvp_code: params[:rsvp_code].upcase.gsub(/\s/, '')

So the example above could be entered as “a5d8fu”.

I do disagree with Seth’s last comment about saying “please” in forms though. I don’t think this fools anyone - users know they’re looking at a form and not having a conversation with a human. No need to beg.