If you're storing passwords as MD5/SHA hashes, how difficult is it be to switch over to bcrypt? I've never had to do this, but I would imagine it would be somewhat trivial. With all of the password leaks that have happened over the past few years, I'd imagine a good amount of developers are aware that storing passwords as MD5/SHA hashes is somewhat risky, so I can't understand why big websites (LinkedIn) are still doing it.
if your userbase is fairly active, you could migrate passwords the next time they login (and store a flag indicating the password "version"), since you'd have the plaintext version during authentication time.
alternatively, you could bcrypt all hashes now, and anytime you authenticate, making sure to MD5/SHA hash the plaintext password before checking the password using bcrypt.
legacy code and especially authentication code that has huge exposure (code path hit during every login and potentially every session auth) is difficult/risky to change once deployed. making things "more secure" has always been a hard sell to management... until a disaster like this happens!
if not hashed_password.startswith("bc$")\
and sha(entered_password) == hashed_password:
hashed_password = "bc$" + bcrypt(entered_password)
You don't have the prefix identifier, but that's okay; you just roll out an equivalent now instead, so you only have to check the start of the hash string and do the conversion, if it hasn't already been performed.
Of course, you have to account for the prefix identifier when validating an entered password against the stored hash.
Could you use e.g. bcrypt(SHA1(x))? I think that should be OK, and avoids the issues with switching over current users (just take the bcrypt of the currently stored passwords).
It is always possible to apply additional hashes to the MD5/SHA. First strip away the salt, then apply bcrypt or scrypt, next store both the new salt and the old salt plus the new hash. Validating passwords will require two steps. First, hashing the entered password with old salt, then applying bcrypt one more time.
This doesn't really answer your question, but you should take a look at 99designs. Depending on your needs, it could help make finding and working with designers pretty painless. I used it because I needed a logo for a side project and I had a great experience.
I love 99designs for logos but we are building a web application, so a lot of interface design, and I haven't seen many success stories for that type of thing out of crowd sourced design sites.
It's pretty easy to customize Bootstrap to your needs. Whenever I start a project, I usually always use Bootstrap to help increase my development pace. Once all of the functionality is done, I then try to get away from the default Bootstrap look and give my project a unique look. I can usually do this just be playing with the variables in variables.less, although sometimes I have to add some styling on top of Bootstrap.
For example, I used Bootstrap for my Chrome extension's web page (http://thejakeharding.com/philanthropist/). At first glance, you probably wouldn't realize Bootstrap was used, but really, Bootstrap is pretty much the only thing that was used for styling. All I did was tweak some variables.
Unrelated to the OP, related to the extension, but doesn't this sort of thing attract Amazon's wrath, having an Associate ID set without any referrer from the project site itself?
This is actually going to be the topic of my next blog post. Reading through the Associates Program Operating Agreement (https://affiliate-program.amazon.com/gp/associates/agreement...), it seems like there is a decent chance Philanthropist would be in violation of something. However, that agreement is for associates, so I'm not sure if those rules would apply to a browser extension.
Also, I mostly built the extension for myself so I could easily support one of my favorite podcasts. There are only about 10 other users and since I don't really plan on advertising the extension, I doubt the user-base will ever get big enough to warrant concern from Amazon.
You should give Programming Interviews Exposed: Secrets to Landing Your Next Job (http://www.amazon.com/Programming-Interviews-Exposed-Secrets...) a read. It gives you a good idea of what to expect and how you can prepare. I read it before I started interviewing a few months ago and I found it to be very helpful.
This reminds me of a topic the guys from the TechZing podcast talk about pretty frequently, increasing your luck surface area. Jason Roberts has a short post about it on his blog that sums it up pretty well (http://www.codusoperandi.com/posts/increasing-your-luck-surf...). This concept has resonated with me and for the past couple of months, I've started to do things with the hopes of increasing my luck surface area.
I came here to say this. It's important to realize the size of luck's effect on our lives, but the next step isn't just to shrug and say "oh well, I guess I wasn't lucky."
There are in fact scientifically proven ways to increase one's chance for getting lucky. I highly recommend Richard Wiseman's book "The Luck Factor" which goes into this research: http://www.richardwiseman.com/books/luckfactor.html
When I moved into my current apartment a year ago, I made a conscious decision not to get cable. I've heard people say cable is the path of least resistance to ending boredom and in my experience that's true. Eliminating that path has caused me do other things to end my boredom such as reading a book, exercising, or working on a side project. I don't think it's a coincidence that this past year has been one of the most productive ones of my life.
I still have a TV and a Roku by the way, so I'm not totally disconnected. I still watch movies and shows I'm interested in. By not having cable though, I avoid the time sink of channel surfing and that's been huge for me.
Glad to see Twitter doing this, it's definitely a step in the right direction. In my opinion what this really needs is the support from another well-known company. If a company like Facebook announced next week that they were adopting the Innovators Patent Agreement, I think that could get the ball rolling and we would start to see many other companies join the cause.
I completely agree. I recently released my first Chrome extension and I found the documentation and guides to be clear and concise. I'm now looking into creating a Firefox extension and the learning curve has been very painful. I spent an hour or so just going through the Firefox docs and I'm still unsure how to start building an extension.
