Author: Cronk Ky


Apr
2026

Your Login “Security” Is Awful

categories: Blog, web development

You want to log in? No problem!

Put in your email, press enter.

We’re not asking for your password at the same time, because we hate password managers. Everyone knows you’ve memorized them, or use the same one, or whatever.

Oh, wait, we don’t want your password!

We've sent a 6-digit code to ogglyboogly@example.com. It will expire in 10 minutes.
I hate you.

We’ll email a code and you have TEN MINUTES to type it in! What’s the problem?

The “Problem”

The reason why one would set an expiration time on a verification email is so the verification can’t be intercepted after the fact and used to log in.

For example, if a user tried to log in and forgot to check their email, someone later could look at their email, find the verification message and use it to log into the user’s account. That’s fine.

In the above case, the developers are expecting a user’s account to be SO COMPROMISED, they can’t afford to leave it exposed for more than 10 minutes!

Email is slow

Well, not slow, but not guaranteed to be there instantly.

Showing an email moving from sender to receiver
Email passing through nodes (GPT)

Emails from a sender to a receiver have to pass through one or more relays–and those relays can delay transmission for seconds, minutes or hours. One potential issue is if a transmission between two relay nodes must be resent due to errors.

An email sent to your neighbor can potentially take longer than one sent to a friend in another country; it all depends upon the speeds of transmission and delay between notes.

Options

There are several alternatives to using a verification email with a 10 minute expiration, that have less of a burden upon the end user and still provide security. Relying upon a user’s email account is risky, as that is one of the prime goals of attackers: take over a user’s email account and you can gain access to most of all their accounts on other services via the “forgot password” action.

Good

First, don’t set the email expiration time too soon. If you set it to expire in an hour, that is a good compromise between leaving the login ‘exposed’ and giving the user a reasonable time to receive the email and use it.

Once the code/link/token in the email is used it should become invalidated so it can’t be used again. This will vastly reduce the danger of a bad actor somehow gaining access to the verification email and thus the user’s account. They would still have to get the email and try to log onto the account before the actual user did.

Better

  • Use SMS to send a validation code/token, which is more reliable as the nodes are designed for fast communication.
  • Give the user an option to use a regular (long) password, or a token from an authenticator app instead of a validation email. As of 2026, passwords shorter than 11 characters are mostly useless from brute-force guessing. Using a password manager to generate longer passwords (e.g., 30 characters) is a good approach. Enforcing complexity (e.g., uppercase + number + lowercase + special character) has little bearing on security.

Best

Use passkeys.

☠️ Security Questions = PWND ☠️

Another excuse for me to say that security questions are a tell the developers aren’t skilled in securing applications, and they happen to be climbing on Mt. Stupid.

A historic black-and-white photo of a train wreck, illustrating the importance of accurate project estimates.

Security questions give you the opportunity to use a weak password to bypass a strong password (or passkey, authentication token, email verification, etc).

  • Comments Off on Your Login “Security” Is Awful

Mar
2026

apostrofly (n.)

categories: Blog

uh-POS-truh-flahy – sounds exactly like the pest that it is

A rogue apostrophe that shows up absolutely everywhere, planted with the breezy confidence of a person who never questions their own judgement, in places that did not ask for it, and in words that did not need it. Causes loss of intelligence in everyone who sees it.

It is attracted to the letter “S”, like a hou’sefly is attracted to garbage. It lands wherever it want’s. On plural’s. Occa’sionally in the middle of word’s. In-between two letter’s that are now embarras’sed to be seen together.

Usage

“This menu is a cloud of apostroflies. I counted six in one sentence. Six.”
“I don’t know who needs to hear this, but ‘avocado’s’ is an apostrofly infestation in a single word.”
“Her TikTok’s title was so riddled with apostroflies I had to go outside and touch grass in order to calm down.”

Related: greengrocer’s apostrophe (the apostrofly’s more specialized, slightly posher cousin); comma splice (different pest, same energy); unnecessary quotation marks (the apostrofly’s chaotic sibling, equally uninvited, equally everywhere).
Note: You cannot correct an apostrofly in the wild. You will be told you are a “grammar nazi” or dismissed with “everyone knows what I mean”. The fly does not care. The fly will never care.

  • Comments Off on apostrofly (n.)

Feb
2026

The Holy Book of Sock

categories: Blog
A pair of knit socks

A fragment of the Book of Sock was discovered on an ancient thumbdrive on or before 2017. Miraculous it was still readable! This may or may not be related to the Holy Order of Sockism.

The Gospel of the Word Of Sock (WOS)

3:37 He warned them polyester cotton blend may feel pleasant to the touch, it is naught but deception.

3:38 They did ignore him and rubbed the sock upon the balloon only to perish in a cloud of tumultuous fire.

The Law is Given

WOS 4:1 And the people did stare.

4:2 Then the word came from on high: These are thy care instructions. See that thee follow unto them from generation to generation, father to son, mother to daughter, cat to dog.

4:3 And the people did tremble in fear.

4:4 Most important, do not mix darks and whites, lest ye run.

4:5 Bleach only that which is white, and do not let it spill on thy clothes.

4:6 Dry in the sun and thy days will be sunny. Woe is to they that wring out, they will have their reward.

4:7 Use cool water as if from a stream on darks and reds, and the rainbow will shine with all the colors.

4:8 Separate the colors when washing, but wear them mixed if thine hipster clan require it.

4:9 When a hole appears in heel or toe, the body is to be laid to rest with all veneration. And the pair of the two will Disappear, and much cursing shall ensue.

4:10 The people were silent, as if struck dumb.

4:11 And the wind howled and the coyote barked. Still no one moved ere they be called upon to answer.

4:12 And day became night. And night turned to day.

4:13 And they looked around and all the people had fled in the night. Not a sound had they made.

4:14 But they left in their wake a sea of offal and refuse. And the old man cried at the sight.
  • Comments Off on The Holy Book of Sock

Feb
2026

Your Post Advocates…

categories: tools

Ever since the early days of the ancient web/usenet, there have been arguments and disagreements. Someone is wrong. Laziness being the mother of invention, someone created a funny checklist that starts “Your post advocates a ___ approach to … Your idea will not work.” Some of the items are generic/funny enough to apply to any subject, others are specific to the original subject (if memory serves, it was regarding EMail and spam). Will it prevent Godwin’s 1st Law? Probably not!

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting copyright violations. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

(x) Virus and Malware authors can easily use it to infect more machines
( ) Independent content creators and other legitimate uses would be affected
(x) No one will be able to find the guy or collect the money
(x) It is defenseless against malware
(x) It will stop copyright violation for two weeks and then we'll be stuck with it
(x) Users will not put up with it
(x) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from copyright holders
(x) Requires immediate total cooperation from everybody at once
(x) Many users cannot afford to lose access to the web or alienate potential employers
(x) Copyright violators don't care about the one or two machines in their botnets
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for PCs
(x) Open relays in foreign countries
( ) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Widespread examples of copyright violation
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who pay for 0-day camshots of movies
(x) Dishonesty on the part of violators themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Darknets

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) TCP headers should not be the subject of legislation
(x) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Media without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending random files should be free
( ) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
(x) I don't want the government installing software on my computer
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) You're more extreme than Big Brother

Other Old Stuff

Obligatory XKCD:

one: Are you coming to bed? two: I can't. This is important. one: What? two: Someone is *wrong* on the internet.
Fighting the never-ending fight
  • Comments Off on Your Post Advocates…

Feb
2026

Jakob Nielsen, Father of ‘Fast and Cheap UI’

categories: Blog
World's Best CSS Developer

An early influence on my UI/UX interest was Jakob Nielsen at useit.com/alertbox. I devoured his articles on how people use the web, worst-practices (unfortunately far too many are still in use today), and common traps.

Learning from useIt.com, webpagesthatsuck.com and others, I grew my skills from definitely sucks to still sucks, but less. I started noticing how people use websites and how those sites are inadvertently designed to make things harder to get done. I would check in every once in a while to see the useit “state of the web” article on usability issues and successes.

A few weeks ago, I thought about the useit site and realized I hadn’t been there in quite a while—since probably before COVID—and decided to check it out. I noticed it redirected to NNGroup.com/articles. After clicking around for a bit, I tried to find the latest state of the web. I clicked on his author name on one of the old articles and it brought me to his page:

Jakob Nielsen, Ph.D., is a retired principal and co-founder (with Dr. Donald A. Norman) of the Nielsen Norman Group. Jakob established the "discount usability engineering" movement for fast and cheap improvements of user interfaces and invented the heuristic evaluation method.
RETIRED!

Wait, he got older and retired‽ Noooo…

All is not lost, as it seems others have taken up the mantle. There are State of UX 2026 and UX Year in Review Quiz for 2026, with hopefully more to come!

Related Sites

  • Comments Off on Jakob Nielsen, Father of ‘Fast and Cheap UI’

Jan
2026

US Healthcare Websites are the Worst

categories: web development

How many healthcare websites were designed by someone who knows nothing about user interface design?

A: All of them

A mass of tiny links with no organization
Garbage Healthcare Insurance Website

Call to action? 🤣

Let’s say you wanted to log into the member portal. Where is it?

(I cropped the header off because this particular insurance company is not special in any way; they all suck more or less the same way)

Good luck, it is in the bottom of the screen. There’s no menu, no LARGE call to action. Nothing.

In fact there’s no menu at all.

The first time I tried to find it, I skimmed until I came to “Member Services” and clicked it. WRONG!

The link for the portal is below the member services link.

What can you do?

Nothing, absolutely nothing. Except learn from these idiots’ mistakes.

  1. Figure out what is the most-used function for your website.
    • For potential new customers,
      • a link to a plan summary that shows the difference between plans and their costs, and
      • links or buttons to enroll in a particular plan
    • For new customers, it is two or three things:
      • Getting an ID card,
      • Finding an in-network doctor, and
      • possibly paying the first month’s premium (rare) forget it, no one is going to do this unless you’re on Obamacare which was burnt and put up on blocks by the GOP.
    • For existing customers it is two things:
      • Checking balances (deductibles),
      • Reviewing Explanation of Benefits (EOBs),
      • Locating a doctor, and
      • Printing a new ID card
  2. Make the most-used functions FRONT AND CENTER, with as few actions (mouse clicks, scrolls, typing) as possible.
  3. Make it so your site does all the heavy lifting, figuring out what to place in front of the user based upon their needs.

What they did

Here’s what they’ve determined their customers are most interested in

  • Deciding whether they are Medicare Advantage or Obamacare patients

Then as an afterthought, at the bottom,
away from everything else,
in small print:

  • Find a doctor – will be used while a person is trying to figure out where they can go
  • Enroll Now – will only be used once and never again
  • Member Services – what the hell does that even mean? Will customers use this often or not at all?
  • Agents – Never used by any customer
  • Agent Portal – Never used by any customer
  • Member Portal – probably used by customers, a lot
  • Provider Portal – Never used by any customer
  • Pay Now – used by a tiny, tiny fraction of customers that don’t have job-provided insurance. Will only be used once to set up auto payment, except for that even smaller fraction of people who don’t trust autopay (probably 5 people)

Out of that whole mess, 13% (or maybe 26%) will be used by customers several times, 13% will be used once, 38% will NEVER be used, 13% will be used by a tiny fraction of customers one time (and a minuscule number more than once).

Worst case, 13% will be used by customers and 87% will not be used, yet they are almost all treated as having the same importance (for options on the second and third lines–which happens to contain the more-important options–they are slightly worse)

A clown sitting in the trunk of a car

Don’t do this. Ever.

Unless you’re a clown.

More Information

  • Comments Off on US Healthcare Websites are the Worst

Aug
2018

Why The Joel Test will save your life

categories: Developer Hell

If you haven’t seen it, it is Truth. Learn it, memorize it, evangelize it.

(maybe)

The Joel Test

  1. Do you use source control?
  2. Can you make a build in one step?
  3. Do you make daily builds?
  4. Do you have a bug database?
  5. Do you fix bugs before writing new code?
  6. Do you have an up-to-date schedule?
  7. Do you have a spec?
  8. Do programmers have quiet working conditions?
  9. Do you use the best tools money can buy?
  10. Do you have testers?
  11. Do new candidates write code during their interview?
  12. Do you do hallway usability testing?

We’re going to talk about #2.

Build

Let me paint you a picture:

You need to build two versions of app, one for French Guiana and one for France. Also, your app uses google analytics, google maps and some kind of crash reporting thing, all of which require tokens to access their respective APIs.

Being the Smart Developer you are, you don’t check your tokens into source code, because that would expose them to anyone who had access to your repository.

Instead, you edit the appropriate config files and add the token strings to the right fields. Your software repository ignores the changes to your config files so you don’t accidentally check them in.

You build your app for your default country, France, upload it to the app store and so on.

Now it is time to build it for French Guiana. Fortunately, everyone there speaks French, so no need to worry about translating anything (we don’t need no i18n!!1), so we just have a few changes…

  • Bundle ID
  • Google analytics tracking id
  • Google maps api key

If we don’t use a different analytics tracking ID, it will be difficult to determine usage for each app. Also, we want to keep the map’s api key separate so if one app’s traffic spikes, it won’t affect the other app.

One step

To satisfy the Joel test, we should be able to build with one step. This means ONE command.

One easy way would be to use ISO 3166 country codes.

France

app-build --locale=fr

French Guiana

app-build --locale=gf

However we do it, it should not involve any manual steps to complete. This will decrease the chance of making any mistakes, shrink the learning curve for new developers, and ensure that every deployment is done the same way.

  • Comments Off on Why The Joel Test will save your life

Aug
2018

Sprint Length?

categories: Project Management
Hourglass with sand dripping

I was asked a question recently: what’s the ideal sprint length?

To start, let’s look at the purpose and function of a sprint.

The Sprint: What and Why

A sprint is a period of time in which the team promises to deliver certain functionality. At the end of the sprint, the team is supposed to deliver working product that has some new functionality (or fixed functionality). This does a couple of things.

Hourglass with sand dripping

Benefits

  • It provides a timeboxed expectation. The product owner/stakeholders have a reasonable expectation as to when they will be able to see something new, and it is always on the same day and time. People are creatures of habit. I always have coffee Tuesday morning with my buddy, so Tuesdays are when I automatically eschew the cuppa joe at home, and my car automatically makes its way to our usual coffee shop.
  • It offers a sense of urgency and rhythm to the team. Good developers, by definition, are lazy. With an impending deadline, the desire to produce increases. Nobody wants to show up to the demo meeting and admit in front of everyone they have nothing to demo.
  • It feels like progress. Progress makes everyone happy, even the tiniest, little thing. We fixed that icon that everyone was complaining about. Oh and the app doesn’t crash when you get a call.
  • Most importantly, it sets up a time for feedback and pivoting. Long ago, when earbuds were something that grew in a garden, I was in charge of a project that ran for over a year. The team worked hard and produced a great product, and the client hated it. For one, they had only seen mockups on paper and never tried out the actual workflow. It is one thing to say, “okay, if I press this button, then I go to the details screen,” than to actually click the button and realize the details screen is useless and should have never been built. Worse, the business always changes. Always. Competitors build their own app and gosh we should have “shake to pay” too, or whatever they have. And we sold our forklift shop six months ago so we don’t need any of that functionality.

✅ Do this

The team (the people building the stuff) and the Product Owner sit down and figure out how long the sprints should be. The team will know what sort of reasonable time it will take to build and deliver a reasonable number of stories, and the Product Owner will know how often their boss will ask, “So what’s up with that thing you’re building?” so they can tell the boss that they have the latest one right here, and check out this SHAKE TO PAY feature.

🚫 Avoid

Do not, for the love of all that is good and right in this world, pick 3-4 weeks, or longer, unless your stories involve mounds of concrete drying or paint peeling, because a month is too long to wait for progress, too long to discover the equipment catalog just doesn’t feel right, and offers way too many opportunities for the Boss to ask about That App Thing, and you have nothing new to show them.

⚠️ Beware the urge

Remember whatever you pick, resist the urge to change, otherwise it will mess up everything and provide little value. Once you’re feature-complete, or MVP, or come to a stopping place, then you can make a new project. If you want to reuse the backlog, you may have to repoint.

Edit (30 Jan 2026) – Formatting

  • Comments Off on Sprint Length?

Oct
2017

Automation: The Rule of Three

categories: Skills

How many licks?

Building, Fixing, Writing, Saying something?

Do it one time – sounds good

Do it twice – a bit annoying

Do it three times – you’ve crossed the line

Time to AUTOMATE

If you have to do the same thing the same way three or more times? Time to automate it.

Write a script, built a bot, buy a program, whatever.

You might spend as much time, or even a little more, automating it, but then the 4th+ times are free, performed accurately and correctly, and taken off your plate.

Now you can do something fun.

Update (30 Jan 2026) – formatting + xkcd

  • Comments Off on Automation: The Rule of Three

Oct
2017

Processing a group of images for Cordova

categories: command-line magic

When you have a group of images that you want to use for your cordova app’s splash screen, it can be tedious to get their dimensions and then add them to the cordova.xml file.

You have to examine every image, get the height and width, then create the entry for it:

<splash src=”” width=”#” height=”#” />

Wokers
Courtesy State Library of NSW

The Scenario

I was recently faced with doing just this for a mobile app, which had group of 18 icons. The Rule of Three comes right into play here, so a short while later, I banged out a one-liner using sed, of course!

The Solution

for i in *.png; do 
    identify $i|sed -e 's/^/<splash src="/' -e 's/png[^ ]*/png"/' -e 's/ PNG / width="/' -e 's/x[0-9]* [0-9]*x/" height="/' -e 's/+.*/" />/g' 
done

Dependencies

The code assumes you have imagemagick installed and available in your path, specifically the identify utility.

It also only works against PNGs as that’s what I use for mobile apps. It shouldn’t be too hard to change this by examining the output of the identify utility and adjusting the sed commands accordingly.

Output

The output looks like this:

<splash src="bitmoji1272828.png" width="398" height="398" />
<splash src="flag_final.png" width="229" height="146" />
<splash src="line_guy.png" width="302" height="455" />
<splash src="ikcron_92.png" width="128" height="128" />

See Also

  • Comments Off on Processing a group of images for Cordova