Category: Blog

Your blog category


Apr
2026

Your Login “Security” Is Awful

categories: Blog, web development

You want to log in? No problem!

Put in your email, press enter.

We’re not asking for your password at the same time, because we hate password managers. Everyone knows you’ve memorized them, or use the same one, or whatever.

Oh, wait, we don’t want your password!

We've sent a 6-digit code to ogglyboogly@example.com. It will expire in 10 minutes.
I hate you.

We’ll email a code and you have TEN MINUTES to type it in! What’s the problem?

The “Problem”

The reason why one would set an expiration time on a verification email is so the verification can’t be intercepted after the fact and used to log in.

For example, if a user tried to log in and forgot to check their email, someone later could look at their email, find the verification message and use it to log into the user’s account. That’s fine.

In the above case, the developers are expecting a user’s account to be SO COMPROMISED, they can’t afford to leave it exposed for more than 10 minutes!

Email is slow

Well, not slow, but not guaranteed to be there instantly.

Showing an email moving from sender to receiver
Email passing through nodes (GPT)

Emails from a sender to a receiver have to pass through one or more relays–and those relays can delay transmission for seconds, minutes or hours. One potential issue is if a transmission between two relay nodes must be resent due to errors.

An email sent to your neighbor can potentially take longer than one sent to a friend in another country; it all depends upon the speeds of transmission and delay between notes.

Options

There are several alternatives to using a verification email with a 10 minute expiration, that have less of a burden upon the end user and still provide security. Relying upon a user’s email account is risky, as that is one of the prime goals of attackers: take over a user’s email account and you can gain access to most of all their accounts on other services via the “forgot password” action.

Good

First, don’t set the email expiration time too soon. If you set it to expire in an hour, that is a good compromise between leaving the login ‘exposed’ and giving the user a reasonable time to receive the email and use it.

Once the code/link/token in the email is used it should become invalidated so it can’t be used again. This will vastly reduce the danger of a bad actor somehow gaining access to the verification email and thus the user’s account. They would still have to get the email and try to log onto the account before the actual user did.

Better

  • Use SMS to send a validation code/token, which is more reliable as the nodes are designed for fast communication.
  • Give the user an option to use a regular (long) password, or a token from an authenticator app instead of a validation email. As of 2026, passwords shorter than 11 characters are mostly useless from brute-force guessing. Using a password manager to generate longer passwords (e.g., 30 characters) is a good approach. Enforcing complexity (e.g., uppercase + number + lowercase + special character) has little bearing on security.

Best

Use passkeys.

☠️ Security Questions = PWND ☠️

Another excuse for me to say that security questions are a tell the developers aren’t skilled in securing applications, and they happen to be climbing on Mt. Stupid.

A historic black-and-white photo of a train wreck, illustrating the importance of accurate project estimates.

Security questions give you the opportunity to use a weak password to bypass a strong password (or passkey, authentication token, email verification, etc).

  • Comments Off on Your Login “Security” Is Awful

Mar
2026

apostrofly (n.)

categories: Blog

uh-POS-truh-flahy – sounds exactly like the pest that it is

A rogue apostrophe that shows up absolutely everywhere, planted with the breezy confidence of a person who never questions their own judgement, in places that did not ask for it, and in words that did not need it. Causes loss of intelligence in everyone who sees it.

It is attracted to the letter “S”, like a hou’sefly is attracted to garbage. It lands wherever it want’s. On plural’s. Occa’sionally in the middle of word’s. In-between two letter’s that are now embarras’sed to be seen together.

Usage

“This menu is a cloud of apostroflies. I counted six in one sentence. Six.”
“I don’t know who needs to hear this, but ‘avocado’s’ is an apostrofly infestation in a single word.”
“Her TikTok’s title was so riddled with apostroflies I had to go outside and touch grass in order to calm down.”

Related: greengrocer’s apostrophe (the apostrofly’s more specialized, slightly posher cousin); comma splice (different pest, same energy); unnecessary quotation marks (the apostrofly’s chaotic sibling, equally uninvited, equally everywhere).
Note: You cannot correct an apostrofly in the wild. You will be told you are a “grammar nazi” or dismissed with “everyone knows what I mean”. The fly does not care. The fly will never care.

  • Comments Off on apostrofly (n.)

Feb
2026

The Holy Book of Sock

categories: Blog
A pair of knit socks

A fragment of the Book of Sock was discovered on an ancient thumbdrive on or before 2017. Miraculous it was still readable! This may or may not be related to the Holy Order of Sockism.

The Gospel of the Word Of Sock (WOS)

3:37 He warned them polyester cotton blend may feel pleasant to the touch, it is naught but deception.

3:38 They did ignore him and rubbed the sock upon the balloon only to perish in a cloud of tumultuous fire.

The Law is Given

WOS 4:1 And the people did stare.

4:2 Then the word came from on high: These are thy care instructions. See that thee follow unto them from generation to generation, father to son, mother to daughter, cat to dog.

4:3 And the people did tremble in fear.

4:4 Most important, do not mix darks and whites, lest ye run.

4:5 Bleach only that which is white, and do not let it spill on thy clothes.

4:6 Dry in the sun and thy days will be sunny. Woe is to they that wring out, they will have their reward.

4:7 Use cool water as if from a stream on darks and reds, and the rainbow will shine with all the colors.

4:8 Separate the colors when washing, but wear them mixed if thine hipster clan require it.

4:9 When a hole appears in heel or toe, the body is to be laid to rest with all veneration. And the pair of the two will Disappear, and much cursing shall ensue.

4:10 The people were silent, as if struck dumb.

4:11 And the wind howled and the coyote barked. Still no one moved ere they be called upon to answer.

4:12 And day became night. And night turned to day.

4:13 And they looked around and all the people had fled in the night. Not a sound had they made.

4:14 But they left in their wake a sea of offal and refuse. And the old man cried at the sight.
  • Comments Off on The Holy Book of Sock

Feb
2026

Jakob Nielsen, Father of ‘Fast and Cheap UI’

categories: Blog
World's Best CSS Developer

An early influence on my UI/UX interest was Jakob Nielsen at useit.com/alertbox. I devoured his articles on how people use the web, worst-practices (unfortunately far too many are still in use today), and common traps.

Learning from useIt.com, webpagesthatsuck.com and others, I grew my skills from definitely sucks to still sucks, but less. I started noticing how people use websites and how those sites are inadvertently designed to make things harder to get done. I would check in every once in a while to see the useit “state of the web” article on usability issues and successes.

A few weeks ago, I thought about the useit site and realized I hadn’t been there in quite a while—since probably before COVID—and decided to check it out. I noticed it redirected to NNGroup.com/articles. After clicking around for a bit, I tried to find the latest state of the web. I clicked on his author name on one of the old articles and it brought me to his page:

Jakob Nielsen, Ph.D., is a retired principal and co-founder (with Dr. Donald A. Norman) of the Nielsen Norman Group. Jakob established the "discount usability engineering" movement for fast and cheap improvements of user interfaces and invented the heuristic evaluation method.
RETIRED!

Wait, he got older and retired‽ Noooo…

All is not lost, as it seems others have taken up the mantle. There are State of UX 2026 and UX Year in Review Quiz for 2026, with hopefully more to come!

Related Sites

  • Comments Off on Jakob Nielsen, Father of ‘Fast and Cheap UI’