Banks don’t get it. Telcos struggle with it. Airlines haven’t got a clue. That’s right folks, its password time again. Earlier in the year I wrote a little post about the who’s who of bad password practices [https://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html]. I named, I shamed and I got a resounding chorus of support. The point was made. But it still bugged me. Why were our banks and airlines so consistently forcing us to choose poor passwords? Why do they constrain our...

Let’s assume you log onto a bunch of different websites; Facebook, Gmail, eBay, PayPal probably some banking, maybe a few discussion forums and probably much, much more. Do you always create unique passwords such that you never use the same one twice? Ever? Do your passwords always use different character types such as uppercase and lowercase letters, numbers and punctuation? Are they “strong”? If you can’t answer “yes” to both these questions, you’ve got yourself a problem. But the thing is,...

I must have struck a chord with the folks at Red Gate recently when I wrote about Automated database releases with TeamCity and Red Gate [https://www.troyhunt.com/2011/02/automated-database-releases-with.html]. Inadvertently, I managed to get this post out right in the final stages of their work on SQL Source Control 2 which added the ability to version static data. This was pretty opportune timing and caused me to rewrite – and significantly simplify – a fair swathe of the post. Clearly the po...

So I went along to the ThoughtWorks quarterly update on Continuous Delivery [http://www.thoughtworks.com/events/thoughtworks-quarterly-briefing-continuous-delivery] today. This took the form of a panel discussion with Martin Fowler [http://martinfowler.com/], Evan Bottcher [http://evan.bottch.com/] and Neal Ford [http://nealford.com/]. Smart guys, interesting topic and tantalising banner ad: The good news is that I didn’t hear anything that sounded too foreign. Either they were principles I’...

Databases have long been the poor cousin of the application tier when it comes to many of the processes we take for granted in the .NET world. Source control management, for example, is near ubiquitous for application files and there are several excellent VCS products which make versioning a breeze. Continuous integration is another practice which although not as common, is still frequently present in a robust application lifecycle. Of course the problem is that database objects don’t exist as...

Who remembers what it was like to build web apps on a shared development server? I mean the model where developers huddled around shared drives mapped to the same UNC path and worked on the same set of files with reckless abandon then fired them up in the browser right off the same sever. Maybe this is an entirely foreign concept to you but I certainly have vivid memories from the late 90s of building classic ASP apps (ye olde VB script) in Dreamweaver, side by side my fellow developers working...

It’s about assurance. It’s about establishing a degree of trust in a site’s legitimacy that’s sufficient for you to confidently transmit and receive data with the knowledge that it’s reaching its intended destination without being intercepted or manipulated in the process. Last week I wrote a (slightly) tongue-in-cheek post about the Who’s who of bad password practices [https://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html]. I was critical of a number of sites not implementin...

Ah, passwords. Love ‘em or hate ‘em, they’re a necessary evil of the digital age. The reality is we all end up with an alphabet soup of passwords spread over dozens of various sites and services across the internet. Whilst we might not always practice it, we all know the theory of creating a good password; uniqueness, randomness and length. The more of each, the better. Of course we frequently don’t do this because of all sorts of human factors such as convenience, memory or simple unawareness...

Late last year I got all excited about continuous deployment with TeamCity when I wrote a five part series [https://www.troyhunt.com/2010/11/you-deploying-it-wrong-teamcity.html] on using it in conjunction with web deploy. I then went on to write about Continuous code quality measurement with NDepend and TeamCity [https://www.troyhunt.com/2010/12/continuous-code-quality-measurement.html] and Continuous project statistics with StatSVN and TeamCity [https://www.troyhunt.com/2010/12/continuous-proj...

Here’s the thing about securing credentials in web apps; you’re not just responsible for securing your application, you’re also responsible for securing your customer’s identities. Let me demonstrate: 123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, fuckyou, starwars, shadow, princess, cheese These 25 passwords were used a total of 13,411 times by people with Gawker...