Nov 22 2010

New password locking guidelines

Category: Uncategorizedzvolkov @ 10:43 am

(Inspired by a security.stackexchange.com question)

Locking the account after 3 attempts may seem like a good security measure but it may be very perplexing for the user. Having secret questions as a way to unlock the account is a hole in security. Having the admins having to unlock the accounts does not scale well.

If you think about it, the only reason we put the lockout in place is to prevent the brute force password attacks.

Here are the new guidelines from Bill Cheswick of AT&T at OWASP AppSec 2010 conference that are designed to address these issues:

  • Don’t count the same invalid password reentered multiple times in a row towards the lockout limit;
  • Instead of having users setup secret question which effectively is a (weak) secondary password, have them setup password hint that would remind them what the primary password is;
  • Lock the account temporarily, in increasing time increments: e.g. 5, 10, 20, 60 mins

Nov 12 2010

SVN Switch and working copy cleanup

Category: Uncategorizedzvolkov @ 12:54 pm

SVN Switch is a command you use to switch your working copy between the multiple branches of your code. Basically, it deletes all the extra stuff, downloads all the missing stuff, and updates all the common stuff.

Switching from a pristine clean checkout always works without error. However, as explained in SVN FAQ, in some cases switch stops, leaving the working copy half-switched. This happens if there are unversioned items in the working copy that svn is afraid to overwrite.

The solution is to clean-up the working copy before doing the switch. By clean-up I don’t mean the SVN cleanup command, I mean deleting the unversioned and ignored files / directories. 

For those running Cygwin, the easiest way is to use svn status to feed the rm command:

svn status --no-ignore | grep '^[I?]' | sed 's/^[I?]//' | xargs rm -rf

For those who prefers native Windows solution, there’s a Powershell equivalent (from cultivating code blog):

(svn status "--no-ignore") -match '^[I?]' -replace '^.\s+','' | rm -fo -r]

For lazy folks like me, there’s a pure Tortoise SVN solution (this shows a list of files to be deleted, so you can’t use it in an unattended script):

tortoisproc.exe /command:delunversioned /path:"path/to/wc"

Finally, there is a manual way to do it with tortoise, as this StackOverlow answer explains: Hold down the shift key and right click on the working copy. There are now additional options under the TortoiseSVN menu including ‘Delete unversioned items…’.

In all cases, you probably want to keep the .suo files unless you want to collapse each of those 50 projects in your solution!

Nov 12 2010

Dummy Post

Category: Uncategorizedzvolkov @ 10:01 am

This post intends to fix the “file ‘/blog/post/2010/11/12/sp_findtext.aspx’ does not exist” error in my RSS feed.