byte-wise

Password trouble: Need to be careful with long passwords

I am a fan of Steve Gibson and his weekly Security Now audio talks.

His website has a password generation page which generates "long, high-quality random passwords" and in the spirit of self defense I copied about 30 characters [half of the generated alpha-numeric password] and paste it into password box of a web application I use. Although the number of '*' characters in the password box was less than the length of password I pasted, I continued and clicked on the 'change password' button. The password change confirmation text appeared and I promptly saved this new long password into Password Minder [my password remembering application].

When I tried to login with the new long password, I got the 'invalid password' message!

After a few tries I came to the conclusion that the password I put in was probably truncated. However, I had no idea what the maximum password length for the web application was! I looked up the documentation, FAQ etc. but couldn't find the maximum length of the password. It was frustrating.

The way you enter password is through the browser's User Name and Password prompt so it does not limit the no. of characters you can enter which means I cannot use the built in 'Maximum Length' feature that many textboxes have to find the limit.

The generated password I had was 30 characters long.

Guessing that the web application had a 16 character limit for the password, I copied the first 16 characters of the generated password into the password box and tried. No luck.

Remaining locked out was not an option and the obvious 'brute force' approach of trying different lengths from 5 to 30 one by one did not appeal to me.

The key was to find out the password character limit and I resumed on that path. Remembering that the change password box was showing lesser '*' than I had pasted I started searching for any documentation or page which would show me the no. of '*' in the change password page, alas I found it on their FAQ page:-

It looked like the following

I thanked my stars and counted them. It was an odd number 15.

So, I copied the first 15 characters of the generated password that I had and it worked! problem solved, lesson learned.

[A long post to describe a simple stupid mistake and lesson learned. I am not even sure I got the story across but I enjoyed every bit of the writing process. Live Writer does make blog writing easier]

Start Menu Search using PowerShell

Searching for programs to run from Start Menu is tedious which lead me to write a IronPython script for it.

Tonight, I learned PowerShell and here is what I have so far which does the same thing:-

cd  to your '\All Users\Start Menu' directory

to search for all programs with the 'sql' in its name, type
$hits  = ls -recurse -filter *.lnk | where {$_.Fullname -like "*sql*"}

this will display the result of the search
echo $hits | select Name

to start the 1st hit in the result, type
ii $hits[0].PSPath

that's it!! this will run the program which is first in the list.

Sample run :-

Objective: To start Visual C# Express IDE

PS C:\Documents and Settings\All Users\Start Menu> $hits = ls -recurse -filter *.lnk | where {$_.Fullname -like "*express*"}
PS C:\Documents and Settings\All Users\Start Menu> echo $hits | select Name

Name
----
Microsoft Visual C# 2005 Express Edition.lnk
Microsoft Visual Web Developer 2005 Express Edition.lnk
SQL Server Management Studio Express.lnk

PS C:\Documents and Settings\All Users\Start Menu> ii $hits[0].PSPath

Preallocating list in python

I was looking for a way to preallocate a Boolean list in Python but didn't know a simple way.

After googling I got the following:-

# this would give us a 100 element list, each element initialized to False
flags = [False] * 100

'interesting' i thought but how do I explain this syntax ?

After looking at the Python language reference, I got the explanation:-

"The * (multiplication) operator yields the product of its arguments. The arguments must either both be numbers, or one argument must be an integer (plain or long) and the other must be a sequence. In the former case, the numbers are converted to a common type and then multiplied together. In the latter case, sequence repetition is performed; a negative repetition factor yields an empty sequence."

source: http://docs.python.org/ref/binary.html

Sql Server Everywhere - the same familiar engine inside a few dlls

I am comfortable with Sql Server and now we have a small footprint, embedable version of it which makes me happy.

While going through the various documentation, the following caught my eye:-

"..Alternatively, SQL Server Everywhere Edition can be deployed by copying the engine files (several DLLs totaling less than 2MB) to the application directory.  The former option helps support scenarios where the user does not have administrative rights on the machine. "

Source: http://download.microsoft.com/download/7/f/c/7fc20778-4e2e-4944-b432-ed74b404e542/SQLServerEverywhereDatasheet_final.doc

 

For me personally, this means that I can write web apps with Sql Server Everywhere without having Sql Server hosting. Currently, I would go with Jet mdb files but this opens up another option.

 

But I need to dig in and see how different it is from Jet and how similar it is to Sql Server 2005.

Rant: Microsoft Urls

For some strange reasons, Microsoft web site urls tend to be really long. Even the new ones.

Today, I found out that IronPython was migrated to CodePlex.com and the url for that ? http://www.codeplex.com/Wiki/View.aspx?ProjectName=IronPython

Excluding 'http://' part, its 54 characters long. So, if its to be typed by hand, it would take 54 keystrokes. Its very difficult to remember too.

The Msn Spaces had a long url as well but they quickly reacted to feedback and made it more friendlier and shorter. Instead of 'spaces.msn.com/members/richard76', they removed the redundant 'members' so now its simply 'spaces.msn.com/richard76' . But because they had 'member' in there before, there potentially exists many links that point to the older version while many would point to the shorter one thereby creating two web address for the same thing!

I hereby request the CodePlex team to reconsider their urls and see if it can be made shorter and simpler.

Present: www.codeplex.com/Wiki/View.aspx?ProjectName=IronPython
Suggested: www.codeplex.com/IronPython

Urls are for human consumption and therefore needs to be friendlier.

At present, it looks like a typical geeky function call. I am guessing they spent way too much time in getting their quality up and missed reading "Cool URIs don't change" by Tim Berners-Lee :-)

creating string list - why Python is healthier than C#

StartFast: a simple utility that helps you find programs and start it.

For various reasons my Start menu has many programs and program groups in it. I see three columns of programs when I expand the "All Programs" in my Start menu. This made finding and starting programs a little time consuming.

So, I decided to do something about it and wrote a python script which would search the shortcuts [.lnk files] in my Start menu and lauch it. Later I also added searching my desktop for shortcuts. To simplify sharing and in the interest of trying out GotDotNet, I published it at GotDotNet and called it StartFast.

Check it out. I am fairly new to python [using IronPython] so my style is still very C#. Any suggestions regarding my python style would be appreciated.

I am aware that Windows Vista will have a program search built into the Start menu and Google Desktop has a Quick Search feature for searching programs amongst other things. However, my current OS is Windows XP and I am not interested in using Google Desktop search [I am happy with Yahoo! desktop search which I use only when I need to search for a file. I don't run it as a system tray application].

This marks a minor return to coding after a long break.

Generating large random numbers

How to generate a positive 10-digit random no. ?

By positive 10-digit random no., I mean long numbers between 1,000,000,000 and 9,999,999,999

My quick solution :-

using System;

class LargeRandom {
  static void Main() {
    Random rand = new Random();

    // generate 20 numbers.
    for (int i=0; i < 20; i++) {
      int high = rand.Next(10000, 99999);
      int low = rand.Next(0, 99999);
      Console.WriteLine(high * 100000L + low);
    }
  }
}

Ideas ? thoughts ? bugs ? wtf??!!

XmlWriterSettings.Encoding vs. XmlWriter.WriteProcessingInstruction

I was using XmlWriter [using .NET v2 beta2] to write xml to a stream. The thing I had to write was like :-

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<entry xmlns="http://purl.org/atom/ns#">
...
</entry>

to write out the first line i.e. <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
I went looking around settings in XmlWriterSettings and I did

[IrontPython]

writerSettings = XmlWriterSettings()
writerSettings.Indent = True
writerSettings.Encoding = Encoding.UTF8

writer = XmlWriter.Create(Console.Out, writerSettings)

...

Then, I see the Xml output and it shows

<?xml version="1.0" encoding="IBM437"?>

I see IBM437 istead of UTF-8 ??

Later, I manage to get the desired result by

writerSettings = XmlWriterSettings()
writerSettings.Indent = True
writer = XmlWriter.Create(Console.Out, writerSettings)

writer.WriteProcessingInstruction("xml", "version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"")
...

is the behaviour of XmlWriter correct ? isn't the default encoding of Xml documents UTF-8 ?

Running ASP.NET v1.1 on Windows XP Home

At work, i was given a laptop with Windows XP Home as I am travelling for a few weeks. It had a lot of crap software installed and was very slow, so I [in typical geek fashion] I formatted it and reinstalled a fresh version Windows XP Home. There was no problem getting Visual Studio 6, Sql Server 2000 etc. to work on Windows XP Home but I realised that there was no IIS and I may have to run Gemini [bug tracking system built on ASP.NET] in some other way.

To cut the story short, this is what i did :-

a) copied the wwwroot folder from my Windows 2000 Pro system.

b) Created a short cut to the ASP.NET WebMatrix WebServer :-

"C:\Program Files\Microsoft ASP.NET Web Matrix\v0.6.812\WebServer.exe" /port:80 /path:"c:\wwwroot\gemini" /vpath:"/gemini"

c) Started the WebServer

d) Open IE and typed http://localhost/Gemini

and voila!! it worked!!

So far, everything has been working fine, I am able to view my bugs in Gemini again :-), Long live the spirit of WebMatrix!!

Sql Server Function: OBJECT_ID({object name},{object type})

In order to setup ASP.NET Session State in Sql Sever, we have to run the InstallSqlState.sql script. In the script I came across :-

OBJECT_ID('tempdb..ASPStateTempSessions','U')

here 'U' is for User table.

I had used OBJECT_ID before but I wasn't aware of the second parameter which could filter the search based on the object's sysobjects.type column value.

I looked up the 'Sql Server Books Online' but it shows the function signature as :-

OBJECT_ID('object')

No mention of the second parameter!!

I wonder if its an undocumented feature or am i missing something ?

Anyways, its a useful thing to know.

T-Sql: Join and 'Not In' vs Exists and 'Not Exists'

Jignesh Desai writes on our UG Forum :-

Intersect you can achieve using joins also....
Select Jignesh.Topic
From Jignesh, Naveen
Where Jignesh.Topic = Naveen.Topic.
[update: this would include repetitions of the topic]

Minus query can be formed as :-
Select Topic
From Jignesh
Where Topic Not In (Select Topic From Naveen)
[update: this wouldn't work if there is a null in Naveen.Topic]

I replied with the following :-

Wouldn't the following be more appropriate ?

Intersect :-
Select Jignesh.Topic
From Jignesh
Where Exists(Select 1 From Naveen Where Jignesh.Topic=Naveen.Topic)

Minus :-
Select Topic
From Jignesh
Where Not Exists(Select 1 From Naveen Where Jignesh.Topic=Naveen.Topic)

I haven't heard from him yet, but I've always sort of wondered regarding what is the REAL difference in terms of performance etc.

I am of the [unverified] opinion that Exists and 'Not Exists' is faster but maybe you'll can educate me here. I am looking forward to my copy of Advance T-Sql which I am sure would also teach me a few things.
[update: The adv-tsql book just arrived and its already taught me that 'Not Exists' performs better than 'Not In', we can verify this using 'Show Execution Plan' in Sql Query Analyzer]

What do you think ?

Gmail Notifier

via Vasanth Dharmaraj

"The Gmail Notifier is a downloadable Windows application that alerts you when you have new Gmail messages. It displays an icon in your system tray to let you know if you have unread Gmail messages, and shows you their subjects, senders and snippets, all without your having to open a web browser. " - Google

Get it here :- http://toolbar.google.com/gmail-helper/

They just keep on raising the bar for user friendliness, just when you start missing something, they provide it, amazing, no wonder Joe Beda decides to join Google

Arial Font has a bug

I noticed something strange the other day while trying to rename something in TextPad. That the letter l (as in love) in arial font is the same as the letter I (as in Indigo). The first thing that came to my mind was, its a design flaw, in arial font! I am sure a thing like this would have been written about already (although I haven't read anything yet) but couldn't resist putting in my two cents on it. While we are at it, I wonder what fonts do my fellow GeekDojo'ers use at work. From the time I started using WebMatrix, Lucida Console has become my preferred font which I set in WebMatrix, Visual Studio 6, TextPad, Sql Query Analyzer, VS .NET and now the Express IDEs. Also all of them have a light grey background. Prior to lucida console, I used Verdana. Now coming to think of it, I never ever used arial for coding, I onced tried tahoma but abandoned it for the same reason mentioned here for arial.

Here is the text where I noticed the arial font thing :-

spfxaGetItemWIPTransferList in Arial Font (look at the I after Get and I in WIP and then the l in Arial)

spfxaGetItemWIPTransferList in Tahoma

spfxaGetItemWIPTransferList in Verdana

spfxaGetItemWIPTransferList in Lucida Console

What font do you guys use ? and why ?

Assembly References : Need to select all of them ?

I tried a simple database query using SqlConnection, SqlCommand & SqlDataReader with VC++ 2005 Express but it wasn't compiling giving the messages part of which says :-

"error C3624: 'System::EnterpriseServices::ITransaction': the compiler cannot find this type.."

The cause of the problem was that System.Data.Dll (which contains SqlConnection, SqlCommand & SqlDataReader) referenced two assemblies 'System.EnterpriseServices' & 'System.Transactions' which was not referenced in the project. When I added references to these two dlls, the project compiled and was working!!

What's weird is that I don't have to do this in .NET 1.1 with C#, meaning I only reference the dll that contains the class and that is it. Even in .NET 1.1, System.Data references those two assemblies but I didn't have to include them, I think this is due to some mismatch in dll versions or am I missing some settings ?? Otherwise, I would have to select all assemblies and their reference and their reference..!!

I will find the MSFT feedback email for VC Express and send it also but has anyone of you guys faced this same problem ??

#include "stdafx.h"
using namespace System;
using namespace System::Data::SqlClient;
using namespace System::Data;

int _tmain() {

SqlConnection^ con = gcnew SqlConnection(L"Data Source=Server;Initial Catalog=Northwind; User Id=general; Password=pass");
SqlCommand^ query = gcnew SqlCommand(L"Select * From Employees", con);
con->Open();
SqlDataReader^ rs = query->ExecuteReader();
try {
while (rs->Read()) {
Console::WriteLine(rs[0]);
}
} finally {
rs->Close();
con->Close();
}
Console::ReadLine();

}

p.s. formatting code is quite difficult with BlogJet, the problem is with the tabs and newlines, any suggestions ? Got it, using <pre> tags in between the code will preserve the newlines and indents :-). I can't believe how long I've been missing this, didn't know about <pre> tags.