Making friends with Red Gate

I’ve spent quite a bit of time writing about Red Gate products over the last year, particularly SQL Source Control which is simply the best damn way to finally get those pesky databases into VCS. The fact that it now plays nice with first cousins SQL Compare and SQL Data Compare means the dream of VCS sourced automated deployments of data and schema for the masses is finally a reality.

What I like about the Red Gate products in general is that they take traditionally laborious, low-value tasks and totally transform the way we approach them. Migrating a database? Just SQL Compare it in a few clicks rather than manually writing time consuming, error prone scripts. Load testing an app? Just SQL Data Generate millions of realistic records in an instant rather than manually constructing dummy data which is rarely a good reflection of typical transactions (or worse, just take a copy of production data – nasty!) How about tracking down that elusive .NET performance bottleneck? ANTS Performance Profiler needs to be seen to be believed.

Bad passwords are not fun and good entropy is always important: demystifying security fallacies

A couple of different friends sent me over a link to an article about The Usability of Passwords this weekend, clearly thinking it would strike a chord. Well, let’s just say I was enthralled before I even finished the second line:

Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice

The crux of the article (and subsequent FAQ), is that so long as a password is sufficiently long – the example used is “this is fun” – you’re pretty damn secure (apparently eleven characters is just right). Actually, the term used was secure forever. Wow, two pretty absolute terms.

This actually sounded alarmingly familiar:

Eleven characters are probably above average as far as password length goes, no arguing there. Of course the choice of all lowercase characters and a couple of spaces is problematic, but I’ll get back to that. What I found most interesting though was the basis on which the conclusion was formed and I thought that could do with some clarifying. So let’s take a look at these and apply a bit of objective analysis to see if they hold water.

Does a brute force attack really only run at 100 attempts per second?

Is "this is fun" really 10 times more secure than "J4fS<2"?

Do rainbow tables really work by an attacker copying and pasting a hash into a website?

Are bad password management practices on the server really not your problem?

And perhaps most interesting of all – and the whole crux of this post – is a simple lowercase password you can easily remember really more secure than a shorter but more complex version? Let’s find out.

The accidental MVP

An unexpected email was waiting for me when I got off the plane from a recent work trip to Thailand on Saturday:

Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Developer Security technical communities during the past year.

Given this was sent out on April 1st, one could be forgiven for being a little sceptical. Being loaded up with healthy doses of overwork and jet lag when I read the email didn’t help make things any clearer but a couple of days on, after the dust has settled, it appears I am an MVP. I even have a very nice letter which they kindly offered to send to my boss:

[click to enlarge]