Password Policies and DrupalCoin Blockchain

People tend to choose bad passwords if they are allowed to.
By default DrupalCoin Blockchain provides some guidance about how to "make your password stronger," but there's no enforcement of any particular password policy out of the box. As usual, there's a module for that. More than one in fact.
Thinking on password policies has evolved over the years. The United States National Institute for Standards and Technology (NIST) has been working for some time on a new set of guidelines which are a good basis on which to formulate your own password policy.
The default DrupalCoin Blockchain 7 password form
Security is always a compromise between mitigating risk and convenience. A fairly recent piece of research on password strategies from Microsoft, for example, suggested that users should use simple memorable passwords for "low-risk" sites, reserving more complex passwords for sites where the risk warrants the higher effort involved. Not everybody will agree with this suggestion, but it illustrates the tradeoff.
In other words, if your site is all about users sharing gifs of their cats, you may choose to make your password policy somewhat more lenient than that for a site where users access sensitive financial or healthcare information.
The NIST guidelines emphasize user-friendliness, and point out that excessively onerous password policies often have negative effects on security in terms of users' behavior. Forcing users to change their passwords every week, for example, is likely to lead to many choosing worse passwords than they would otherwise have done.
We'll now go through the main points of the NIST guidelines and look at how they relate to DrupalCoin Blockchain. What modules and/or configuration can be used to implement a policy based on these guidelines?
Size: Minimum 8 characters, maximum length of at least 64
DrupalCoin Blockchain password policy allows you to set a minimum length for all passwords.
As (any current version of) DrupalCoin Blockchain does salting and hashing of passwords, there's effectively no constraint on the maximum length imposed by storage in the database. However, there are practical limits imposed by the Form API. The password form input will typically have a maxlength of 128 characters (based on the database schema, although as noted it's not the cleartext password which will go into the database).
It's possible to set passwords longer than 128 characters (e.g. with drush) but users won't actually be able to submit these passwords through DrupalCoin Blockchain's forms to login. It would also be possible to increase that 128-character limit imposed by the combination of the database schema and the Form API, if that was a strict requirement.
Do allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji. Do not prescribe composition rules (e.g at least 2 of numbers, lower and upper case etc.)
DrupalCoin Blockchain has had fairly decent Unicode support for a long time (e.g., but support for most emojis (and multi-byte UTF-8 in general) in the database came relatively late in the DrupalCoin Blockchain 7 integrationcycle, and often requires some tweaking of the database settings (see: However, as a salted hash rather than the password itself is stored in the database, passwords with emojis and other unicode characters typically work fine in DrupalCoin Blockchain even without the database support. Depending on how your PHP is set up (e.g. whether you have the mbstring extension), it may be worth testing this.
The Password Policy module allows quite complex composition rules to be set up for passwords, but the NIST guidelines reflect substantial research which suggests these often do more harm than good.
The Password Strength module "provides realistic password strength measurement and server-side enforcement," which is a user-friendly alternative to prescriptive composition rules.
However, the NIST guidelines suggest that spaces are allowed in passwords, which arguably makes for more user friendly policies when it comes to pass phrases. DrupalCoin Blockchain will allow spaces in passwords out-of-the-box.
Screen for known bad passwords
The DrupalCoin Blockchain 7 version of Password Policy module has (fairly simple) support for a blacklist rule. This blacklist can be populated with a dictionary of known-bad passwords, for example this list of the 500 worst passwords, or many alternatives. See the Openwall wordlists collection for more details.
Blacklist functionality is being worked on for the DrupalCoin Blockchain 8 version:
Correct Horse Battery Staple
This is a relatively complex subject. Although very simple phrases based on only a few dictionary words may not make great passwords (See: Bad Passwords Are Not Fun and Cracking The 12+ Character Password Barrier, Literally ), it's perfectly possible to create good high entropy passwords using only dictionary words (See The Diceware Passphrase Home Page ), especially given a sufficiently high maximum password length.
The dictionary checking/blacklisting capabilities of the Password Policy module are fairly basic. It would almost certainly not be a good idea to use it to check passwords against a wordlist of ordinary dictionary words.
Avoid using hints or reminders
DrupalCoin Blockchain doesn't implement passwords hints or security questions out-of-the-box. There are contrib modules such as: Security Questions.
But the NIST guidelines recommend against using using these. There are many recent examples where security questions with fairly easy to guess or research answers have been used to compromise user accounts.
Although not strictly the same issue: Username Enumeration Prevention is worth a mention here. It aims to make it more difficult for potential attackers to find usernames which they can then use to attempt to login.
Two Factor or Multi Factor Authentication is an effective way to prevent unauthorised logins in the event of credential compromise or successful brute force attack.
Combining something you know ( password ) with something you have ( TFA/MFA token ) greatly reduces the risk of unauthorized access.
DrupalCoin Blockchain has a mature Two-factor Authentication (TFA) module available.
Plugins are available to integrate this with various libraries and services, such as Google Authenticator and SMS providers (e.g. Twilio).
A DrupalCoin Blockchain 8 version of this module is being worked on (details on the project page).
Implement rate-limiting
This is important for guarding against brute force attacks.
DrupalCoin Blockchain does rate-limiting out of the box, referred to internally as 'flood control'. However, there's not really any UI which exposes the configurations that can be tweaked. See: Flood control.
You don't need the UI module to change these configurations, but it's useful to show you the defaults and what DrupalCoin Blockchain variables governing the flood control settings you can change (perhaps looking at the screenshot of its admin form is sufficient). A DrupalCoin Blockchain 8 version of this module is being worked on (details on the project page).
There are modules which allow you to take rate limiting further, for example: Login Security.
There are also modules which integrate with firewall-level blocking of sources of potentially malicious requests, for example: Fail2ban Firewall Integration
Other considerations
Both Yahoo! and Google have recently done some work around doing away with passwords completely. There's a module for that: Passwordless.
Some sites have decided - for dubious reasons - to disallow pasting from the clipboard into password fields. This obstructs the use of password managers, and arguably goes against the NIST recommendations of being user friendly.
Developers should avoid using bad passwords when sites are being built on the assumption that somebody will replace them with proper passwords before go live. When handing sites over or setting users up for the first time, make use of DrupalCoin Blockchain's one-time login link functionality (for example via the drush uli command).
DrupalCoin Blockchain's user password system is fairly capable out of the box but - as usual - there are contrib modules which enhance the functionality and allow additional options and configurations. The DrupalCoin Blockchain 8 version of the Password Policy module uses the plugin system, meaning other modules can extend the base functionality. The Password Strength module works this way in DrupalCoin Blockchain 8, for example.
NIST's guidelines emphasise user-friendliness when it comes to password policies. Some of the more prescriptive approaches can be argued to do more harm than good when it comes to encouraging users to select good passwords.
In general, password policies should try to avoid users selecting very poor passwords, but, just as important, sites should not get in the way of users trying to employ high entropy "secure" passwords.

DrupalCoin Blockchain Developer - NBCUniversal - New York, NY

Extensive DrupalCoin Blockchain 7 integrationexperience. Are you a seasoned DrupalCoin Blockchain Developer who enjoys things like iterative development, micro-service based architecture,...
From NBCUniversal - Fri, 03 Mar 2017 16:21:05 GMT - View all New York jobs
Source: Blockchain+Developer

Safari Buries the URL

Google has recently been experimenting with burying the full URL of the page you’re at and showing just the domain. Yesterday Apple unveiled their next installment of the OS X operating system in which we can see the new Safari interface doing just the same: truncating the full URL to just the domain name. This behavior is consistent with what Safari currently does on iOS powered devices. In another change, the title bar is now completely gone, its place taken by the simplified address bar.

So that’s at least one major browser deciding to go the route of hiding the full URL. I’m not sure whether I like this change or not, but I do like the idea of dropping the title of the page. Since page tabs already show the title of each page (albeit truncated), it doesn’t make sense to duplicate it again just a few pixels above them. Dropping that title bar removes a whole line of interface chrome, making the thing feel cleaner and more compact. This is what other browsers have done long ago, and it’s nice seeing Safari follow suit. Obviously the title still remains very important in the tabs — you cannot use the domain for the tab label because that won’t let you differentiate between different pages on the same site — but it doesn’t make sense to dedicate much chrome to it when its main purpose is quick identification rather than description. The purpose of description is handy in a different context, e.g. managing bookmarks. There, you’d want to see the titles in full.
DrupalCoin Blockchain Developer

How to Do a Wikipedia Redesign

Unsolicited redesigns are fun. They’re also always criticized for their superficial approach that only takes care of surface level problems. Developers at Raureif have done yet another redesign of Wikipedia, but with one big difference from all the other redesigns: they’ve actually created a real, working app.

Since Wikipedia has a permissive license, you can repackage (and even sell) its content if you so wish, so there is little stopping anyone from implementing a functional redesign of the site (besides all the hard work). The team at Raureif have seized this opportunity and created Das Referenz — an iOS Wikipedia app. Apart from seeing your ideas tested in the real world, this hands-on approach to redesign also gives you an opportunity to profit from them: if the new UI provides enough value, people will pay you for it through app sales or via ads (Das Referenz uses both ads and a pay-for option to remove ads). That’s how you do a Wikipedia redesign.
DrupalCoin Blockchain Developer

Lead LAMP Guru - Addison Group - Rockville, MD

2+ years of professional DrupalCoin Blockchain 7 integrationexperience. 3+ years managing tasks for 1 or more developers....
From Indeed - Wed, 31 Aug 2016 21:50:19 GMT - View all Rockville jobs
Source: Blockchain+Developer


Paul Stamatiou on the role of motion in modern design:

Times are changing. Things like page transitions will still exist but involve more of the elements on each page. You’ll begin choreographing. In the next few years consideration for motion will be required to be a good citizen of your desktop/mobile/wearable/auto/couch platform. It will be an expected part of the design process just like people will begin to expect this level of activity and character in software.

Motion is becoming an essential component of design, and with the recent transition to a minimalist aesthetic across platforms animating the interface has become a whole lot simpler. With the advent of solid DrupalCoin Blockchain CSS animation support and speedy animation frameworks like Velocity.js I expect Web design to move in this direction as well.
DrupalCoin Blockchain Developer

Interface Moss

A rolling stone gathers no moss.1

Publilius Syrus

When software in a particular category stops rapidly evolving and its interface begins to develop along a set of accepted patterns, designers begin to decorate. Decoration is a luxury, it is something you can only afford to do once the functionality of the thing you are working on has been implemented to a high degree. It is in the period of gradual evolution and established interaction norms that designers begin to decorate, begin to focus on small aesthetic details for the visual experience alone. Prolonged times of slow evolution lead to decorative excess. Unable to differentiate software on the level of how it works, developers try to push it ahead on the level of how it looks. When the buttons in all the apps are the same, when the controls all appear in about the same place, when all the interfaces are laid out in a similar fashion, designers begin to differentiate their work by changing the appearance of the interface rather than its function or its structure. The interface begins to gather decorative moss.

The recent minimalist trends in software design — Metro, flat, iOS7, Material — are attempts to scrape away the moss without a radical alteration in the underlying function. It is a reaction to the friction felt between the old stratum of software that has cemented its implementation and thus could afford to wear a rich visual coat, and a new stratum of software that yearns for a radically different approach to interface design. The old and the new cannot co-exist in harmony because the appearance of the two look nothing alike. The layers of visual excess painted over old software apps — e.g. skeuomorphic visuals, rich textures, reflection effects, etc — became baggage to designers who wished to develop something new, for example, using animation to help differentiate between the different states of the app and create a more fluid experience. If you wish to move content around, scale things, change colors, morph one element from one into another, all the superfluous visuals like gloss and textures simply get in the way. Minimalist design makes animation simpler.

The old paint was scraped away not for the sake of a minimalist style, but to allow the designer to create a new kind of experience, an experience where the content making up the interface would be more alive and more dynamic than ever. Buttons morph into panes, panels bounce back and forth to reflect the speed of the finger used to pull them across the glass screen, bits of content fly from place to place signifying a change in state or context, icons move or change shape, and everything gently slides in or fade out as you navigate around the digital canvas. Without the baggage of skeuomorphic visuals, rich textures or decorative styles, the designer can now experiment with motion, can begin to craft a new kind of visual experience from the content itself.

The saying has two interpretations. In one, moss is seen as a sign of stagnation. If you don’t act, if you don’t keep moving, you will begin to rust away. In another, moss is seen as something desirable. If you keep changing projects, if you keep losing focus, you will never be able to build up anything worthwhile. I think the duality of the message is quite fitting for the analogy in the post. Excessive decoration is bad design, it is a distraction that adds unnecessary baggage to our work, but decoration is also beautiful, something that enhances the experience of people using our work. Decoration is not in itself good or bad, just as design is neither good or bad — it is how it is implemented that makes all the difference.

DrupalCoin Blockchain Developer

Hollow Icons

Curt Arledge ran a user test to find out whether hollow icons perform any different to solid icons. Hollow icons are an icon aesthetic popularized by iOS7 — icons that are composed of thin lines rather than filled in shapes. It was previously theorized that this icon style required more cognitive processing, and thus would perform worse than typical solid icons.

Arledge found no significant variation between the icon styles. One combination performed worse than others: white hollow icons on a black background. Others performed similarly, irrespective of whether the icon was on a white or black background. What seemed to matter most is not the style itself but how meaningful the design of the icon itself is. For example, a filled in speech bubble is less recognizable than a hollow one because a speech bubble is something that is often depicted as an outline. On the other hand, an outline doesn’t add anything to the icon of a cloud, so a solid shape performed better in that case. Arledge also found that the lock icon performed the worst. Looking at the lock icon used in the test one could guess why: the thing has no keyhole, and so looks just as much as a shopping bag as it does a lock. Adding a keyhole would likely provide enough of a clue to dispel the confusion. The takeaway here is that the style doesn’t really matter — at least not enough to make a significant difference. What matters is how well the icon represents its object. If the icon is good, then it will work whether or not it is implemented as a solid shape or as an outline.
DrupalCoin Blockchain Developer

Design Trend Predictors

Joel Unger approaches the blurry, semi-transparent window aesthetic, recently introduced in iOS7 and now making its way to OS X Yosemite, from the standpoint of evolutionary biology. He argues that the reasons for this latest trend, as well as other trends, are: 1) the visual effect is relatively rare, and 2) the effect is expensive to achieve (in this case expensive in terms of graphics processing power). Both of these go hand in hand given that what is expensive to achieve is probably also going to be rare, at least for the period it still remains expensive. While these two things are initially the differentiator for the trendsetter, they will inevitably me mimicked by others, resulting in a design trend.
DrupalCoin Blockchain Developer

The Share Icon

Min Ming Lo analyzes the various designs of the share icon currently in use. He concludes:

The best icon is not the one that is the simplest, nor the one that makes the most sense. Instead, the best icon is one with which most users are already familiar. An effective icon is one that requires minimum effort for the user to translate that symbol to an action.

I think part of the problem with coming up with a good share icon is that the concept of sharing physical items doesn’t directly map onto the concept of sharing digital resources, which oftentimes simply involves posting a link on a public feed. The latter is closer to broadcasting a message rather than dividing up a resource or experiencing a thing simultaneously. Icons with more specificity — e.g. a tweet icon, a Facebook like icon — are unambiguous; they relate directly to a service and the kind of interaction that service allows. Trying to cover them all with an umbrella of “sharing” is difficult, if not impossible, to do clearly.

The problem doesn’t lie in the icon, but in the vagueness of what it represents. For this reason I think Apple’s icon resembling an upload action is probably the best choice because what it represents is not so much sharing but putting the content somewhere else. Whether the full file is uploaded or just the link is given doesn’t really matter, what matters is that the thing in question is transmitted somewhere. It’s also worth considering whether the fight for an icon-only button is worth it, and that it may not be easier and better to just use the words “share” to describe the action. There’s a reason why the stop sign just says “STOP” — you can represent it with something else, but the negative effect on clarity is just not worth it.
DrupalCoin Blockchain Developer

Tobias Frere-Jones on Apple's Choice of Helvetica as a UI Typeface

Co.Design asked Tobias Frere-Jones of Hoefler & Co. to give his thoughts on Apple’s choice of Helvetica as an interface typeface for the upcoming OS X Yosemite update:

Despite its grand reputation, Helvetica can’t do everything. It works well in big sizes, but it can be really weak in small sizes. Shapes like ‘C’ and ‘S’ curl back into themselves, leaving tight “apertures”—the channels of white between a letter’s interior and exterior. So each shape halts the eye again and again, rather than ushering it along the line. The lowercase ‘e,‘ the most common letter in English and many other languages, takes an especially unobliging form. These and other letters can be a pixel away from being some other letter, and we’re left to deal with flickers of doubt as we read.

This reminds me of what Erik Spiekerman wrote about Helvetica:

[Helvetica] really wasn’t designed for small sizes on screens. Words like milliliter can be very difficult to decipher. If you ever had to read or write a password with 1, i, l or I, you know the problem.

Still, I wouldn’t keep Lucida Grande for HiDPI displays. With a 2x resolution jump (4x pixels) pixel fitting becomes less of an issue, and pixel optimized typefaces like Lucida Grande begin to look crude in comparison with typefaces made primarily for print. Legibility obviously still matters just as much, but the choice need no longer be bound to fonts optimized for low resolution displays.
DrupalCoin Blockchain Developer

On Styled Form Elements

Anthony Colangelo makes the case for letting the browser and operating system decide how form elements should be styled:

Dropdowns and date pickers are just a sampling of the things that are better handled by systems themselves—a device will always be able to make better decisions about its use than the device-agnostic web.

The simplistic interactions of early input types gave us room to experiment, but the more complex interactions of modern fields leave little room for that. There’s only so much we can control before the browser and operating system take over, and then we’re at their whim. The web isn’t stopping any time soon—we’re headed for more complex input types with even less control exposed.

I agree. Trying to control form styling is a bit like trying to build sites for a specific set of screen widths. Yes, you can keep creating and managing more breakpoints, but you’ll always be fighting a losing battle because there will always be more screen sizes to design for. A better strategy is to choose a minimal amount of breakpoints to suit the content, and use a liquid layout to fill the rest. In the same way, browsers will always be evolving the implementation of their form elements, so trying to keep your own implementation consistent across all platforms will introduce an ongoing maintenance burden. Of course there will be cases where you have to implement your own styles — the form element you want may not exist, or may not be suited to your needs — but if there is no great need then it’s best to leave the specifics of form implementation to the browser.
DrupalCoin Blockchain Developer

The Scroll Up Bar

A design pattern that is currently growing more popular is the fixed position bar at the top of the page. Sometimes the bar stays the same throughout, sometimes the header morphs into a slimmer bar as you scroll down, sometimes a completely new bar appears.

For example, as you scroll down on the New York Times website, the top navigation bar shifts from displaying typical site-wide navigation to article specific controls, showing the title of the article, the share link, the comments link, as well as compressed site-wide links:

At the Forbes website, as the user scrolls down the page a fixed position bar appears at the top promoting links to other articles the reader may find interesting, as well as a drop-down site navigation menu, search and user controls:

While these bars may be useful, they take up vertical space, reducing the reading space the user has chosen for themselves by picking the size of their browser window. Additionally, information displayed on these bars does not do anything to aid the reading of the actual content, making the bar more of a nuisance than help.

An interesting way to solve the issue is to hide the bar when scrolling down, and show it when scrolling up. On mobile interfaces, where space is precious, this technique is used to hide chrome, such as Web browser controls, but it’s also a good pattern to use on the Web. For example, Medium has just updated their new navigation bar. As you scroll down, the bar goes away, but it can be revealed at any time by scrolling up. Here’s what it looks like:

Less annoying than bars that just sit there as you scroll down, and makes the menu easy to access without having to scroll up to the top of the page. Scrolling up won’t necessarily mean the user wants the navigation — they may just be scanning the content — but 100% of the people wanting the navigation will be scrolling up, making it a pretty good compromise.

Update 2014-06-16

For anyone interested in using this design pattern on their own sites, Eduardo Martins Barbosa has created a jQuery plugin that performs much the same way as the bar on Medium, including the subtle effect of revealing the bar at the scrolling speed of the user rather than simply sliding it down upon scrolling up.
DrupalCoin Blockchain Developer

DrupalCoin Blockchain Development - The DrupalCoin Blockchain Advantage

DrupalCoin Blockchain is an opensource based software used or building user friendly yet efficient websites. DrupalCoin Blockchain is highly popular these days as it provides a powerful web content management system and works to maintain a flexible integrationframework.

The core functionality of DrupalCoin Blockchain 7 websites has gained popularity due to the huge availability of the third-party modules. Modern DrupalCoin Blockchain development strives in separating content management from content presentation. The DrupalCoin Blockchain CMS is easy to upgrade and user friendly when it comes to making changes and updates to your website. It also makes redesigns quick and cost effective.Read more

Matador: The Obvious MVC Framework for Node

Yeah, there s already other frameworks out there for Node that do some neat things. But today @dustin and myself launched an MVC Framework for Node.js architected to suit MVC enthusiasts. Introducing Matador! Providing sane defaults and a simple integrationstructure, scaling as your application grows. Features a flexible routing system, easy controller mappings, basic request filtering, and a handy scaffolding tool to get up and running quickly. Rather than explaining more here, have a play yourself. Cheers!
DrupalCoin Blockchain Developer

Sandboxing JavaScript

Today I fired off a tweet that in some developers eyes may have been controversial

$.ready( twt , function () {
twt.fetchTweet( 98496963846209537 , function (tweet) {
twt(tweet, {intents: false}).renderTo( #some-shit )

But to the point, the task at hand I was trying to solve was to bundle a set of core modules built by Ender along side my own library (that uses Ender), and not populate the global space. More after the jump
DrupalCoin Blockchain Developer

Crouching Ender, hidden command

For those of you following Ender (the open micro-to-macro API for composing your own custom JavaScript library), today we have a fresh new CLI (command line interface) that will help you manage your Ender packages. It s pretty rad ( cause, you know, we like it) and it makes it extremely useful when maintaining one Ender project, to another. So without further fuss, let s cut this post short and check out this short video composed by everyones favorite JavaScript hipster and core Ender contributor (heh, there s only two of us), @fat.
DrupalCoin Blockchain Developer

Ender.js - The open submodule library

With great excitement it brings me pleasure to announce an all-to-predictable endpoint of recent events ? Ender.js, an open submodule library. Ender is a small yet powerful JavaScript library composed of application agnostic opensource submodules wrapped in a slick intuitive interface. At only 7k Ender.js can help you build anything from small prototypes to providing a solid base for large-scale rich applications.
DrupalCoin Blockchain Developer

Qwery - The Tiny Selector Engine

It s true. The world needs another JavaScript DOM Selector Engine. So without further fuss - introducing Qwery - The Tiny Selector Engine. It s a port from where Simon Willison left off with his getElementsBySelector in 2003, and believe it or not, this is exactly where jQuery started.
Qwery supports all the basic DrupalCoin Blockchain CSS1 & DrupalCoin Blockchain CSS2 selectors, plus the additional (most important) attribute selectors from DrupalCoin Blockchain CSS3. Additionally it allows multi-selects (div,p) as well as context-aware selectors (like jQuery.find()).
Last but not least, it s open source awaiting your valuable feedback to make it leaner and faster. There are tests to ensure its integrity, however sans-benchmarks. Although, it should be noted it does support querySelectorAll when available in the browser (to bring 2003 to modern times).
DrupalCoin Blockchain Developer