zerosleeps

Since 2010

Simple tips for security and serial numbers

Seth Godin has some good tips for dealing with random-but-usable-by-humans strings and codes. It’s something I spent a bit of time on when building our wedding website: the codes needed to be mildly secure, but easy to enter.

The final solution, which doesn’t seem to have caused any issues, was a random selection of 6 characters from upper-case A–Z, minus “I” and “O”, plus digits 2–9:

choices = ('A'..'Z').to_a - ['I', 'O'] + ('2'..'9').to_a

When shown to humans, the codes are displayed as two groups of three characters:

A5D 8FU

But, the codes can be entered with or without the space, and will be accepted whether they’re entered upper-case or not:

Invitation.find_by rsvp_code: params[:rsvp_code].upcase.gsub(/\s/, '')

So the example above could be entered as “a5d8fu”.

I do disagree with Seth’s last comment about saying “please” in forms though. I don’t think this fools anyone - users know they’re looking at a form and not having a conversation with a human. No need to beg.

Something went wrong

Another grumble about Atlassian’s Confluence. This time it’s the result of trying to view a page that requires authentication when you’re not already logged in to Confluence. Look at the state of this:

Screenshot

Confluence obviously knows I’m not logged in, and it definitely knows the page is restricted - it says so right there on the right. So what’s with all the angry messages and red warning icons?

If you hit the little login icon at the bottom left (yep, that’s how you get to a login page from here) and sign in, the bloody thing does take you to the right page as well! It knows what I wanted all along, just forced this this hostile page on you first.