Three ways to create and keep great passwords

When you create an website account and give someone your password you are entering into an unwritten agreement with them that says they will keep your password safe and their network secure. This includes encrypting the password in their database so that if a breach occurs, the passwords are still protected. With the most recent examples of poor security on commercial websites I decided it was time to revisit my password scheme.

I treat passwords differently depending on the website I’m using. Some passwords are for websites that I don’t necessarily care about, others like banking and financial sites I use a stock set of unguessable passwords. The throwaway passwords are fairly unique but follow the same algorithm so once someone guessed one it wouldn’t be difficult for them to go around to other sites, guessing others. The important passwords I generated years ago and only are used on sites where it’s critical for me to keep my private information safe. The problem with my super secret passwords is I only have a few I can remember. If their is a security breach on a website than these passwords I am opening myself to potential theft.

The key for me was finding a way to creating unique secure passwords. I googled and came across three great tools for helping me with this.

The first, SuperGenPass, is a password generator that works inside your browser via a bookmarket. With it, you only have to remember one password. It will use that one password to generate unique passwords on each website you visit. It uses a mathematical formula to generate the password. However, it’s one-way so that someone can’t apply an inverse equation to get your original password. I’ve tested this on the three major browser (IE, Firefox, Safari) and it works great.

The second, Passpack, is an online password manager. Sometimes it is necessary to generate passwords that SuperGenPass can’t handle such as PC logins, bank PINs, etc. Passpack allows you to store them safely in an online vault so that you can retreive them from any PC.

Finally, the third is not so much of a tool as a methodology. You must have a great unguessable password in order to protect your identity. Most people can’t create their own unique password. Using computer based random password generators are ineffective because computers are deterministic and can’t really generate true random numbers. Diceware is a website that shows you a process to follow to create truly unique passwords.

All of these tools will help you get a handle on securing your digital identity. At a minimum, a combination of SuperPassGen and a password generated via Diceware will offer more protection than most people have.


Adding Model Field Validation to the Django Admin Page

Django, the hot Python web application framework, provides an excellent administration user interface out of the box. Django originated in the newsroom and it’s reflected throughout the code. The idea behind including an admin interface is that reporters can work on easily submitting their content while the code jockeys work on the fun stuff – namely presenting that content to their readers.

The admin interface provides a great experience out of the box but is also extensible so you can add features not present in the original interface.

I was working on a Model that was meant to be manipulated inside the admin interface. I wanted to provide constraints on some Integers Fields in that that model in order to limit the range of possible entered values.

The first way I tried to solve this was to add a choices parameter for my IntegerFields. While this technique worked, it caused my admin interface to add a drop down box displaying my choices. This was not what I was looking for.

The final way I solved it came from a suggestion on the Django IRC channel. Use validators. It took some digging through the documentation but I figured out how to do what I want. I will explain by way of an example.

from django.core import validators
from django.db import models

range_validator = validators.NumberIsInRange(0,4)

class Test (models.Model):
    valid_int = models.IntegerField(null=True, blank=True, validator_list=[range_validator])

The validation framework is defined in the validators module. Import that if you need to perform any validation on your data.

Django includes a number of built-in validators. I lucked out and they had a validator that suited my purposes. The first step creates a validator instance of NumberIsInRange with the appropriate range. This returns a callable that I use later.

Model fields take a parameter of type validator_list which is a “list of extra validators to apply to the field. Each should be a callable that takes the parameters field_data, all_data and raises django.core.validators.ValidationError for errors. (See the validator docs.)”

A quick test in the admin interface and the code works.

The Django documentation contains everything you need to get the job done. Some careful searching and a great support community has helped make Django one of the best web frameworks available.



Django Tip – Don’t use hard coded urls in templates

Django, the Python based web framework has a template system which allows you to separate business logic from presentation. It provides a method of substituting variables inside the template using the {% var %} syntax.

One of the things you will often need to do is provide links to various views inside your application. However, the worst possible way to do this is to hard code pages inside your template. Developers of the Django framework are proponents of the DRY philosophy. This is evident in the URL mapping mechanism.

When you need to link to other views in your application, open your file. Copy the full to your view. Then, inside your template in an anchor tag insert the following.

<a href="{% url %}">
Link location

Django will then substitute the view name with the proper link relative to where your application lives.

The obvious advantage to doing this is if you ever publish your Django application to a different location you don’t have to update your links.