COBOL 2020 – why are we still using it?

With the 2020 Covid-19 Pandemic going on, it has brought to light just how old many computer systems are running on our government. It is shocking to people to learn that today’s computer systems are running v, a 60+ year old programming language, mostly on IBM mainframes.

What is more shocking is just how much many of the news papers are getting wrong. But it isn’t just their fault. When we have college professions stating:

“There’s really no good reason to learn COBOL today, and there was really no good reason to learn it 20 years ago,” says UCLA computer science professor Peter Reiher. “Most students today wouldn’t have ever even heard of COBOL.

FastCompany Article: What is Cobol

The reality is many company’s still use Cobol. And while things like Java, JavaScript and Python are really “hot” languages right now, the reality is that many, many fortunate 500 companies still run it for a lot of their critical systems. Further it was errant when FastCompany stated that “[o]ne key reason for the migration is that mobile platforms use newer languages, and they rely on tight integration with underlying systems to work the way users expect.” However, the overall trend in technology has been t de-couple your code, not tightly-couple it.

Further evidence to this fact is that most legacy airlines are also running equally legacy code, yet they still have performant Web 2.0 and mobile interfaces. They do what everyone else has been doing which is layering modern technology on top of older frameworks using API. Currently we use fancy things like GraphQL and REST API, but the concept of an API is nothing new. SOAP interfaces have been around a long time (1998). Or how about POXIS (Portable Operating System Interface – aka IEEE 1003) from 1988.

Before I get started, let me stay that I’ve been involved in technology since 1990 to one degree or another, and remember fondly the days of working on those ‘green screen dumb terminals’. I’ve personally done work on COBOL and other mainframe style systems like the AS400 which some were written using a version called COBOL/400. I have experience in mainframe systems from airlines to manufacturing/ERP. As well as more modern operating systems from Microsoft Windows and Red Hat Linux. And we as the novel web development frameworks and stacks (PHP, JavaScript, etc).

Why do we continue to use COBOL? Because it is ‘relatively’ rock solid compared to most programs you see today. The uptime on these systems have been measured in years – not days or hours. We’re going well beyond things like 5-nines uptime (99.999%). And this isn’t using fancy cloud based, fault tolerant systems. But rather just one clunky old IBM mainframe. The software simply works, and works well. However, what it doesn’t do is scale all that well. And often, what we’re seeing isn’t the failure of COBOL, per-se, but often the modern interfaces that people have layered onto of COBOL failing.

Reliable technology is essential to businesses that expect to be working for decades, who invest millions or billions into the software.

And its not just “old stuff” that is using older hardware/software. We can look at things being made brand new this year, such as the Boeing 737MAX series, which is running hardware equivalent to the 1990’s NES (Nintendo Entertainment System). It reason is that it is battle tested and extremely reliable. It isn’t broken and it has more than enough computing power for the task.

Forget about tech startups for a moment. If you were building a new system that you need to be still working 20 years from now without ‘patching bugs’, but simply needed to continue to perform exactly the same things – would you choose a system that is new/novel that may or not be supported, or would you go with a system which literally has been supported for decades and is in-part propped up by the fact that most fortune-500 companies are also in the same boat as you?

Perhaps now, it starts to make a lot of sense.

And for that reason it seems that Mr. Reiher is rather out of touch with reality. Yes, there isn’t a huge growth market for COBOL engineers – if anything the year over year need is probably shrinking – but also the number of programmers are retiring even faster. Creating not only a great need, but also a fantastic pay opportunity with nearly zero competition.

It is also a really simple language to learn and is objected oriented which most people should be familiar with as it’s used in a lot of modern languages. The challenge for the emergent issues is the experience needed to understand and reverse engineer someone else’s code. A short hello world program is easy in just about any language, but of course, what is needed is mastery. vMany, many businesses have tried to migrate away from old mainframe technologies, without success. There is just too much build in business logic, that is sitting there, unrealized, but extremely important. When they try to reverse engineer it, and rewrite it into a more modern language, features always drop away.

And it just isn’t COBOL and those who use it are stuck. Here are a few other examples:

  • Microsoft has attempted to get away from their “DLL Hell” something Microsoft has tried, and failed to get away from since day one – but still even the later Microsoft Windows 10 still has linger legacy code hardening back to Windows 95.
  • Adobe Software tried to reinvent their products to be web based instead of purely installed applications – even after 5 years of development on products like Photoshop and Lightroom has resulted in product which have only a small fractions of the legacy features – sure some neat new things, but a lot of the old functionality is lost.
  • Airlines who spend millions of dollars each year on licensing to GDS (Global Distribution Systems) which also run legacy code, are trapped using ancient COBOL like technology. It is the primary reason why in 2020 you still are limited to buying no more than 9 seats at a time – the underlying ticketing system can only accept a single digit number.
  • State Farm Insurance has been built on COBOL – and when I was 16 years old I worked on their old green screen terminals. Over the last 30+ years they’ve been working to transition to modern tech stack. For a period in the early 2000 what they did was bring PC’s in to the agent offices, and you had access via a separate terminal window to basically the mainframe system. In the 10’s the introduced a web interface where it was more modern interface, but at the end of the day, not only was COBOL the underlying database and performing the business logic, there is still certain things that can only be performed by going back into the dumb terminal.

One way to look at it is this — for the last 20, 30, 40 years a company has been investing into feature enhancements and tweaks. That is a LOT of code, and business logic that has been changed. This is muddled in with a lot of bad, legacy code that might not do anything anymore. Worse, over the course of time there has been bad developers come along and instead of fixing or addressing an issue properly wrote an obscure bit of code to work around something they didn’t understand.

Has anyone successfully migrated?

There is one company who did successfully completely rewrite their system which comes to mind – around 2000 Apple Computer completely replaced their operating system for the Mac. When it changes from OS 1,2,3..etc., to OS X – it has never been the same again. And along the way it broke just about everything. Apple changed both the hardware and software. And therefore older pre OS X hardware couldn’t run OS X, and most software was not compatible either. It was basically a cut-your-losses, which their was many. And Apple hardly started from scratch, rather it was based on Unix. So it wouldn’t count as a migration, but they did the change.

Can’t we do that with our legacy unemployment systems?

Absolutely it is possible, but extremely expensive. Every state has different custom rules, so a software company who has a competitive alternative will not only have a big price tag, but also an even larger cost to customize it to make it similar to your existing system. Often these costs are more than 10 years of operating expenses continuing to use COBOL.

What would I do if I was the Director of Technology for a company still using a COBOL based system?

As someone who has experience maintaining legacy code, as well as projects to completely re-write a system — here is what I would do. To ensure the greatest possible uptime and reliability, I would first decide the language framework I’m going to use. It likely would be moving to objective-C or something similar, possibly Java (not to be confused with JavaScript) or maybe PHP. I would build out a decoupled system with a modern front-end framework (Vue, Angular, React, etc), and then use that to access my “modern” controller/model, which would start by just transparently passing through to the “legacy” system. I would progressively start moving the business logic from the legacy to modern system. Until we’ve eventually moved everything over to the modern system.

This looks a lot like what I believe State Farm Insurance is doing currently. I would expect this project to easily be a decade long process or longer. Something no politician would like and it wouldn’t win any popularity vote as being seen as ‘addressing the problem’. But IMHO it is the best route forward.

The alternatives are to throw ungodly amounts of money at purchasing a new system outright and then customizing it, and having a LOT of broken things along the way. I’d rather take years to move over each system of an unemployment system and get it right, versus trying to flip the switch on a new system and mess up peoples unemployment checks.

The end result is a more affordable, reliable and stable change – that takes time, versus another expensive quick-fix.

But what about the people suffering now?

What people are looking for is a reactionary measure instead of a response. The reality is that in a few days to weeks all of the backlog will be solved. Also realize one of the biggest reasons for the backlog isn’t the technology but the staffing levels. But beyond that, regardless of the various reasons it will be worked out in days-to-weeks. However, as someone who as implemented large scale systems serving millions of end users, something new cannot be implemented overnight – it would be a month’s long project. Therefore, throwing money at the problem will not make a meaningful difference for individuals right now. Same thing if we on boarded double the number of COBOL programs nationwide, you’d see only an incremental increase in the processing of claims. Rather, the focus today should be on how to respond to this situation, not react. What do I need to do so that 10, 20, 30 years from now the choices made today will ensure continued success.

WH: Participating in a video conference

Oh technology, how I love thee — but the video conference is one that I love to hate. Not because it isn’t a great tool, especially in the days of Covid-19, we can do more than ever before remotely. It enables people to work from home, collaborate and share ideas. At it’s best it also helps carbon emissions, reduces unnecessary travel (planes, trains, automobiles) and bloated expense accounts for meals and lodging… However, on the worst of days, it is a huge waste of time, distraction-filled and unproductive. A lot of that has to do with the presenter of the conference, which will be a topic for another day.

Today, we’re going to talk about how to be effective at participating in a video conference. After literally thousands of hours on both ends of a conference call, here are some lessons learned.

  1. Dress for the call – this isn’t a time to show off the joys of working from home, but to show that you’re still “showing up for work” and actually earning your keep.
  2. Join the call 10 minutes early – especially if this is your first conference with that specific person. If it’s new technology to you (Zoom, WebEx, etc) then plan perhaps even more time, 15 minutes or whatever. Don’t wait until the last moment.
  3. Check your background and lighting – unless you’re in witness protection, you want to be seen in a video call, that is the whole point. Make sure you have a plain background, usually a white wall. And then enough lighting to see your face. You need more light coming at you than behind you. Also, some apps like Zoom let you either blur out the background, or replace it with some sort of stock photo. Those are all great ideas. Because someone is going to zoom in and check out your home — ooh, they’re messier, cleaner, crazier.
  4. Announce yourself when you join the call – unless your specific room has a different etiquette. Out of the gate, it’s better to announce yourself than not to.
  5. Mute your microphone/phone – start off with mute, especially if it isn’t a free for all discussion. Beyond the auto distraction of background noise, some conference systems will automatically switch the video to whoever starts making a sound. So if your cell phone starts ringing in the middle of the call, all of a sudden, you’re the big-screen video, and everybody knows it was you. Oop! Mute the auto (mic, phone, etc)…
  6. Turn off all other audio distractions – More important if you’re the presenter, but do put your cell phones to silent, turn off your computer notifications, etc. Also, I will close my email application (Outlook, Gmail, etc) on my desktop/laptop altogether.

WH: Dress Code

After working from home for years, I put together this new series of posts to help those who are working from home for the first time. Tips and tactics to get more done in a day.

Today we’re going to look into the dress code when you work from home. There are many different views on this topic. Here are a few of mine:

I learned from an early age that how you dress actually affects you – it goes beyond just comfort. Sure one of the nice things about being socially distant is that you could work in your pajamas, but should you?

Much study has gone into this, and what has been discovered is that those who work in non-standard work attire (pajamas, sweats, etc.) have a lower overall performance IF your job is a typical desk or professional job. So from a performance, and getting stuff done approach – get dressed like you’re going to the office. And for me, it is typically head-to-toe — yes socks and shoes too.

Just like having a separate work area, it helps keep you in that “work mindset”. So even a casual answer of the cell phone generally has a more business versus casual tonality when answering. Plus if you have any impromptu webinars, video chats, zoom, google hangout, etc., you’re already set to succeed.

We’ve all seen the videos of people having absolutely no clue when on a video conference call. Don’t be “that guy” who looks like he just rolled out of bed, still have their curling rollers in their hair (do people really do that anymore?), or just are lounging on the sofa. Listen people are probably making fun of somebody, and I’d rather be made fun of for looking like I’m at the office, then the one who looks the worst. More on video conferences in another article.

But back to clothing… Keep up your routine — if you normally shower every other day, then keep doing that. Shave, keep yourself presentable. No need to return back to the office in a month looking like a caveman! Also from a phycological perspective, maintaining certain routines helps preserve normalcy in times of great change. It helps keep you calmer, more centered, about your work and life. And whatever you normally do when you get home from work (kick off the shoes, change into something comfortable, take off the tie, whatever) — do that. Keep whatever office schedule you set up for yourself.

Please take a moment and share in the comments below your routines for working from home dress code. What have you been wearing, and does this article change your mind in any way?


Top 5 Ways to Speedup Desktop Computers

In the old days, computers often performed very slowly because of a lack of preventative maintenance. Those days are behind us because a lot of these things are now handled by Windows 10 automatically. Instead, our computers run slow either because of the junk that comes preinstalled on your computer or because of junk we put into it.

This article was based on a recent pro-bono job I did to help out a local non-profit in Redding, California. The purpose of this is how to make a typical home or small business perform better, and not take an already good machine and make it faster by tweaking (like overclocking or messing with the registry). Everything here will be pretty basic.

  1. Go through the computer and remove all unneeded software that came installed on your computer. This means games, trial software, etc. Also in most cases, 90% of the software that comes from the manufacturer (Gateway, Dell, HP, etc) can also be uninstalled without consequence.
  2. Remove all anti-virus software unless you’re using an enterprise level software. Most of them significantly slow down performance and have very little benefit. Most of the time I’ve gone in to remove a virus from a computer it was running antivirus software! Also, virtually no “free” version of anti-virus is licensed for business use (yes, that means non-profits as well). For example, see this article on Malware Bytes. If you’re on Windows X, you can rely upon Windows Defender (built in) do to a good enough job. If you’re running an older version, you should either upgrade or manually install Windows Defender (free). Also be sure to check out my Top 5 Virus Tips (a bit old).
  3. Disable unused browser extensions: Disable anything that they don’t actively use/need. These can have problems from privacy to performance implications.
  4. Use CCleaner Portable – to do a one time scan and cleanup of the PC files, removing unneeded files and cleaning up the registry. The portable version can be found here.
  5. Use AutoRuns (advanced) – this advanced tool can be used by a technician to see a lot of the things running in the background on the computer, this becoming bloated can really cause performance issues. But if you don’t know what you’re doing here, you can easily leave your computer unable to work or might fail when you reboot. Don’t use this tool lightly.

That is about it as far as things that will make a difference. While I’m there I’ll also check to make sure that Windows Update, Windows Defender and Disk Defragmentation is working properly. In the old days doing a disk defragment was critical to performance and easy, low hanging fruit, but those days are over. There have been so many improvements to the operating system, that old tips from before 2010 no longer apply. I might also just check to make sure that the disk has enough free space (at least 20% free), but with the capacity of hard drives now a days I cannot recall the last time I’ve seen a small business computer having performance issues due to storage limitations.

Finally, while I need to update the article be sure to look at the First 10 things I do with a new computer.




WH: Set a schedule

After working from home for years, I put together this new series of posts to help those who are working from home for the first time. Tips and tactics to get more done in a day.

Transitioning from working in an office to working from the home can be a lot like a teenager moving out of their parent’s house. From a structured environment to an unstructured one. And what at first seems like unlimited freedom devolves quickly into chaos. We all had different ‘out on your own’ experiences. Some more successful than others. My wife quickly noticed how many of her coworker’s natural schedules started to show through when they’d send emails. Some emailing really earlier, others late at night. Everyone isn’t a natural ‘day person’. I certainly am not.

Here are some tips that I’ve collected over the years:

  • Make your bed after you get up – I know it’s a crazy idea, it’s based on a book I read years ago by the same name by Admiral William H. McRaven. The concept is simple, no matter what happens to your day’s schedule, you’ll have accomplished at least one thing.
  • Clean the kitchen – following quickly on the first item – get the simple, easy things out of the way. I do it while making breakfast. Slay those easy to do tasks nobody really wants to do.
  • Have a specific work area and clean anything with-in eyesight of it. And if there are others home with you, make sure they know that is your work zone. Have little ones at home, then you’ll need to manage this differently than those without — more on that another day. (I’ll link it here when I get around to writing it!).

Okay, so right now you’re probably asking if you’re reading the right list. Yes, you are – this is for people who have regular day jobs, white-collar, work from an office or classroom. Stick with me. One of the biggest distractions from people getting stuff done from home is the distractions of the house. These first three help avoid those distractions and get stuff actually done.

  • Set specific “work hours” – otherwise things get out of hand really quick. This is both for your sake and your coworkers, managers, etc. One benefit of working at home is often scheduled flexibility. But what messes this up is bosses who expect you to always be available, and home/family needs who feel you’re totally accessible. Boundaries need to be set on both ends.
  • Reinforce your work hours by managing when you communicate with coworkers and the office. If you want to be available 9 to 5, but are sending late-night emails, it communicates that you’re available after hours. Is that what you really want to communicate? Likewise, if you’re tending to your kids during the normal day and really only work before breakfast and after dinner, likewise reinforce that with how and when you communicate. There are several ways (depending on how you’re setup) to even write an email and schedule it to be delivered later, during your ‘office hours’. I used this extensively. I would sometimes burn the midnight oil, but not necessarily want to be ‘available’ for an immediate reply or give the impression that I normally work that late. Instead, I’d write a lot of emails that would go out at 9am.
  • Protect your privacy with a virtual phone number – Only answer work calls during your specific work hours. More details at Virtual Phone Numbers article.


This article will be updated as I create more articles that cross-reference each other. None of the links to products or services on here are affiliate links (I don’t make any revenue from them.) Additionally, the WordPress platform I use does provide other advertisement links that generate them revenue but I receive zero financial benefits.



WH: Virtual Phone Number

After working from home for years, I put together this new series of posts to help those who are working from home for the first time. Tips and tactics to get more done in a day.

If your work has issued you a work phone (cell, desk, virtual phone) you can skip this article. This is for those of you who have only your personal phone to communicate with workers, students, etc, the last thing you want to be doing is giving out your personal cell to everyone. And as part of maintaining boundaries with coworkers, you need to be able to turn off those calls.

Imagine this:

You can give a number out to your coworkers/students/etc, that they can call and it automatically forwards to your cell or home phone. That this magical number you can have it only forward those calls during your ‘office hours’, and the rest of the time it goes to voicemail. And perhaps after all of this Carona/Covid shelter-in-place is over, you can turn off that number and still keep your personal phone number private!

There are two great ways you can do this:

  1. Google Voice is completely free and if you have a Google account, such as it’s really easy to set up!
  2. Ring Central is a fantastic business level option, and during this Carona/Covid situation, if you’re in education, healthcare, non-profit or a few other cases get Ring Central Free at this link. I have personally used Ring Central for years – and they’re great, and I was really excited to see they’re offering this free for select industries. Of course, they’re hoping you’ll fall in love with it and pay to continue service, but there is zero obligation. And remember Google Voice is permanently free!


Also, be sure to watch to pay special attention to the feature that prevents your personal voicemail/answering machine from grabbing the message. Both Google Voice and Ring Central have options for this – that way your work and personal voicemails stay separate.

Finally, be sure to check out the texting options also available on these platforms!


This article will be updated as I create more articles that cross-reference each other. None of the links to products or services on here are affiliate links (I don’t make any revenue from them.) Additionally, the WordPress platform I use does provide other advertisement links that generate them revenue but I receive zero financial benefits.



[FIXED/SOLVED] scotch/box

scotch/box and scotch/box-pro have been discontinued for over 2 years! Version 3.5 was released with Ubuntu 16.05 and Pro version 1.5 was released with Ubutnu 17 – both are out of support with Ubuntu and running them can be very challenging!

Common errors include:

  • Unable to run apt-get update without errors
  • Running apt-get upgrade doesn’t upgrade anything
  • Unable to run or install modern frameworks like Laravel or Symfony on ScotchBox
  • PHP 7.0 is no longer supported


After being frustrated at the workarounds I decided to rebuild the box completely from scratch using Nick’s Scotchbox as a baseline, but my iteration is called Cognac Box.

Installation and use are just as simple to use, but using a much more modern tech stack!

Ubuntu 18.04 LTS, latest PHP, MySQL, Redis, etc. as of March 2020

To use:

git clone my-project 
cd my-project
vagrant up

That’s it, you’re all set. Enjoy!



The following is mostly so people looking for solutions can find this page:


The following are common errors when working with ScotchBox and StchBoxPro in 2020:

$ sudo apt-get update
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: xenial/mongodb-org/3.2 Release: The following signatures were invalid: KEYEXPIRED 1507497109
W: Failed to fetch The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 23E7166788B63E1E
W: Failed to fetch The following signatures were invalid: KEYEXPIRED 1507497109
W: Some index files failed to download. They have been ignored, or old ones used instead.


$ composer create-project symfony/website-skeleton my_project_name
Could not delete /var/www/my_project_name/vendor/symfony/flex/src/Command:
Stderr from the command:

E: Failed to fetch  404  Not Found [IP: 80]
E: Failed to fetch  404  Not Found [IP: 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
$ sudo apt-get update
E: The repository ' artful Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.


Cognac Box — the Scotchbox Alternative

I have been using ScotchBox for Vagrant for many years for web development. It’s been a great tool. Certainly, there are other methods out there like Docker, WAMP, etc., but this tool works well for me. Nick over at build it as an excellent tool but he is no longer maintaining it.

The Scotchbox and Scotchbox Pro are no longer running a supported version and it might just outright fail to boot up anymore because of its lack of support.

In 2019I began looking for a replacement/alternative for’s Scotchbox and Scotchbox Pro – unable to find anything as elegant, I rebuilt my own Vagrant Box based on the ScotchBox model with Ubuntu 18.04 LTS (long term support). As well as a fully updated stack of tools. And I’m releasing it for FREE:

Cognac: The Modern Vagrant Development Environment (LAMP)

The installation cannot be more simple. Assuming you have GIT, Vagrant and VirtualBox installed on your system:

From the command line:

git clone my-project
cd my-project
vagrant up

That’s it, you’re all set. In a few minutes you’ll browse to:

If you have any questions, please let me know.


Forgot my password and spam

On the topic this month about security and password, the discussion of lost passwords come to mind today. When you need to reset your password on your website, the most common thing it asks you for is your password.


Seems simple and harmless enough, but can it be a gateway for spam? You might thing not, but depending on how the website responds to the email address you put in, it might!

Some systems will reply in a clear way on if that account exists or not. For example, it might reply that the password will be emailed to you, or that the account doesn’t exist.

Think about that, what is the implication?

Simply that a malicious person can write a very basic script that will attempt to “password reset” random email addresses, and your response will verify if that email actually exists.

The threat here is a couple:

  1. First it gives a hacker specific knowledge that your account exists so it can try to brute force their way into your account;
  2. Instead of attempting to figure out your account, now I can simply send you a spoofed email saying you need to change your password at because, well I know you have an account there and it makes the attack that much more legitimate-sounding;
  3. Finally, it lets them sell your email address as a known good address, since obviously, you use it to access some online service.


For the end-user/consumer/professional, take a moment, see which websites leak your private email address. If they do, direct them to read this article so they can protect your privacy better.

For developers, this is a call to action to stop leaking this data accidentally. The preferred method is to simply say “if your account exists, we’ll send you a reset password”. That stops it dead in its tracks because that message goes to every email attempt. Also, be sure to check out this article about account security overall.


WebDev: Password Best Practice

Based on my article earlier today about Password Reset Tips for Businesses, this article is about the responsibilities and best practices of web developers. The Security versus Convenience paradigm is well known. There is no specific rule here because each business use case is different. However, it is extremely common for security to be an after-thought or bolt-on instead of designed with a security model in mind.

It is important to first determine what level of security is needed. And while most of us are not designing a bank-level secure application, we often have extremely valuable and sensitive information. Among those is the simple username-password combination. We all know someone who does it, perhaps you still do, but almost certainly you used to — that is share passwords between websites. And your application users are doing that too. Many of them actually are giving you their bank password! So to some degree, you have extreme trust from your end users and need to take that seriously. So with that in mind, let’s talk about several best practices as well as what I’ve seen in the wild:

  • Passwords:
    • should never be stored in plain text or even in an encrypted form. In virtually NO use cases it there a need for you to know their password.
    • any password sent in plain text should be a one-time use password (ie initial email, or password recovery). A password reset that is sent via plaintext email should never be reusable.
    • the hashing algorithm should be upgradable because today’s secure hashes are yesterdays insecure. I remember when MD5 was the best hash we had available. Your code should be able to accommodate changes to the hash method.
    • passwords should be salted. Some frameworks like PHP password_hash provide unique, one time salt for each hash.
    • password length and other criteria should be determined by your specific need for security – obviously the longer the better. In fact, everything supports that length trumps complexity every time. The NIST even removed their recommendation for special characters.
    • consider partnering with third parties like LastPass to help users adopt using a password manager.
    • consider checking all passwords against the list of 500 million breached passwords via API.
    • know that single-use passwords aren’t more secure. That is the practice of simply emailing or texting a user a password at each login.
    • while password expiry in the sense of scheduled password resets is considered legacy practices, consider when passwords should be no longer valid. Imagine that inactive accounts (say 1 year) have their password hashes purged. Thereby requiring the user to reset their password via email. How have you improved security? If you were breached, how many fewer passwords would be exposed? Think of Linked in being able to say instead of 167 Million accounts compromised, they could say 30 million active accounts were compromised. (and 137 usernames without passwords). That would be a huge improvement. It helps the security landscape, but still might not save your job!
  • Usernames:
    • email accounts are okay, but usernames are better. They tend to be even more unique.
    • consider providing “display names” and “usernames” as distinct fields. The username then can be hashed for additional security just like passwords. In the event, your database is exposed, both the username and passwords are protected. Ideally using a different salt then the passwords.
  • Email Addresses:
    • evaluate: do you really need to know the email address for your users? In many cases, the only time you contact them is during a password reset, during which they can provide you the email address and you can compare it to your hashed value.
    • some other uses have been that a user preference in another table stores things such as user notification settings (phone, email, etc). So that notifications can still be sent out, while keeping your authentication database table free from unsecured email addresses.
  • Two Factor Authentication:
    • these are great technologies to employ for either each login or for when accessing highly sensitive areas. My bank, for example, requires my use of the RSA-2FA Fob when I conduct any financial transfers, but just a simple password for most “less sensitive” activities. This is a great balance of security/convenience.
    • my own personal perspective is that biometrics-based authentication must always be paired with another factor and never relied upon as a single factor. (ahem, Microsoft) While password management is an issue, the problem with biometrics is that we’re barely keeping ahead of the ability to detect fraudulent use of our biometric data. And the biggest problem is once your biometric identity has been compromised, you cannot change it like you can a password. Once fingerprint tables get into the wild (perhaps they already are), you cannot just change your biometric data. You have to trust that they biometric technology gets better to detect fraud.
  • Cookie & Session Security:
    • this is huge and cannot be simply stated, but you must not blindly trust your web server to security handle session state. You must ensure that the person you think you’re talking to is the right person – that the session hasn’t been hijacked.
    • consider limiting the number of sessions per login (that is that two sessions cannot simultaneously be going on with the same credentials).
    • understand how roaming IP addresses impacts sessions (cell phone roaming, etc). When might you need to prompt for authentication?
    • clearly understand how your “remember me” can be insecure, and what actions might trigger a re-authentication.
    • is there a way for users to manage and understand their active sessions? Can they flush all other sessions? Should you be doing this automatically?
  • Rate limits, brute force attacks:
    • how is your system designed to detect and prevent brute force attacks? Do you even know if this is happening? I can guarantee that it is happening right now, but can you see it? What are you doing about it?
  • Web Application Firewall (WAF):
    • are you implementing a WAF in your firewall or software based solution? What is looking for zero-day exploits? Protecting against common threat vectors? Protecting about unexpected crashes or code dumps to the screen?
  • Cross-Site Scripting (XSS) & Cross-Site Request Forgery (CSRF):
    • what is being done in code to protect against these threats? Are you just accepting form data without any token?
    • how are you protecting against reply attacks?
    • a major airline made this mistake causing credit cards to be compromised.
  • Zero trust user-submitted data
    • be sure to apply the correct filters to all user-supplied input
    • properly prepare your data before submitting it to your databases to avoid SQL Injection Attacks.

Finally, remember that username/passwords and the issues addressed above are primarily your “front door”. But don’t forget the other security elements that you need to account for. Are the windows, crawlspaces, and inside secure? There is a great YouTube video about physical security for server rooms — you can spend huge amounts on ‘security’ while effectively leaving the physical door unlocked! This includes your physical servers, data-secure-at-rest, data security across sessions, and how data is protected against authorized users. Who can access sensitive or encrypted data? Your server administrators don’t need to be able to see/read/decrypt that data, nor should your web developers.

As you take a look at this, understand that there is a lot more at hand to securely developing applications. If you’re tempted to just hand off this responsibility to 0Auth or another third party, you still need to understand this list. Why? Because you need to know what parts above are handled by them, and thereby know what is on your shoulders. If your database queries aren’t properly prepared, I can still just inject code to “SELECT * from credit_cards WHERE 1=1” and all is lost! That isn’t a authentication issues, but is a security issue. Often we think of security as just been an authentication question, but it goes hand-in-hand with authentication, and it is wholistic, not just something a plug-in, add-on, or module will solve.


Happy coding!

Powered by

Up ↑