Month December 2008

Entrepreneurial Quotes

Mazur Leave a comment

Taken from How To Spot a Breakthrough: Tips from Early Amazon Investor Nick Hanauer, which has a lot of good sound bytes:

The key elements of a breakthrough idea, Hanauer said, are value creation and social disruption.

As for social disruption, Hanauer gave a quick summary of what he meant:

—If everyone thinks it’s a great idea, it probably sucks.
—If people understand it, you’re too late.
—If people don’t like it and don’t understand it, it probably still sucks.

If you have a breakthrough idea, you don’t need a breakthrough way to get it to the market. “If you have transformational value, people will beat down your door…Focus on the product. If the product is good enough, marketing will take care of itself. If the product sucks, no amount of marketing will get you over the hump.” [see ALL IN Expert]

—”I’m not a technologist. From my point of view, technology is simply a thing that allows you to bring transformational things to customers…People get excited about a particular technology, and they forget the question: what does this do for people? It’s about what the customer gets compared to the alternatives.”

—”As an entrepreneur, I’ve never been concerned about competition. If you’re early, run like hell. It’s all about execution at the end of the day. It’s about having a great idea, executing like hell, and delivering value to customers.”

—As for walking a different path, “I was difficult for my parents, and for my teachers. I’m incredibly uncomfortable in crowds, I never go to sporting events…What that allows is for you to have an idea and be comfortable with people not liking it. Jeff Bezos calls me a high-functioning contrarian.”

Hmm, I think I just quoted about half the article.

Why to Set a Time Limit on Password Reset Emails

Mazur 6 Comments

You know those password reset links that are sent to you get when you forget your password? Well, some of them set a limit on how long you can use it before the link stops working. For the life of me, I couldn’t figure out why sites did this. Who cares how long it takes me to get around to resetting my password? Why not just make the same link work every time a person wants to reset his or her password?

So, I coded up a registration and password reset system for Domain Pigeon without setting a time limit on reset password links.

Last night, somewhat randomly, it hit me why this is a bad idea. It’s so obvious now that I don’t know why I didn’t think of it sooner.

If you reset your password in a public place, such as a library computer, the reset password URL will probably be stored in the browser navigation history. The next person who uses the computer might accidentally come across the “www.whatever.com/reset/…” URL and click it to see what happens. Surprise: it still works.

So how do you prevent this? You guessed it: a time limit.

Here’s how I implemented it for Domain Pigeon. When the customer requests a password reset email, store the time they requested it and then, to generate the URL, use a hash of the user’s email concatenated with the time they requested it. This’ll ensure that the URL is unique based on that specific request (aka a salt).

Then, when the customer clicks the link to reset his password, compare the current time to the time the link was sent and if it’s less than a specific amount of time, allow him to change his password. In pseudocode, this looks something like:

if hash(user.email + user.forgot_sent_at) = params[:hash] and user.forgot_sent_at + 2.hours > Time.now then
... yada yada yada
end

[Update: Note that the has function used here is a SHA-1 hash of the input concatenated with a secret key, so that the final product here = SHA(user.email + user.forgot_sent_at + long_random_string). Thank you to Artem for pointing out it needed to be clarified]

Lastly, after the password is changed, reset the stored time. That will prevent someone from changing the password twice using the same reset password link.

The only flaw I see with this method is for the person who clicks the link to reset his password and abandons it, because that’ll allow someone else to access the page and reset his password. Fortunately, this should be rare enough that it’s not a major problem. For extra security, set the time limit to five or ten minutes. After all, how many people request a reset password link and don’t access it within the next few minutes? For the few that do, they probably won’t mind the small annoyance in return for the extra security.

If anyone has any thoughts on this method or password reset algorithms in particular, please let me know.