DEV Community: Gearoid O'Treasaigh

Password Management: Passwordless Login

Gearoid O'Treasaigh — Thu, 16 May 2024 15:41:08 +0000

We keep hearing about the move to passwordless logins. What does all this mean? Does it mean that we're not going to have any way of checking who we are or that we're moving to the advanced technology where we have retina scanning? Let's delve into it in this blog post.

What Is Authentication?

Let's start with authentication. Auth0 defines authentication as the process of proving some fact or document is genuine. A user proves their identity by providing their credentials. A user can use different forms of information to prove their identity. That information could be:

Something they know, such as a password
Something they have, such as their phone
Something they are, some biometric marker, such as a fingerprint

A passkey is a new form of authentication and fits into something they have.

What Are Passkeys?

Over the last while, we've started to see passkeys as a way to log in to many familiar websites. Some examples are Google, GitHub, Uber, and LinkedIn, and the list continues to grow. Passkeys are becoming widely adopted as a secure way to log in, as they have some notable benefits:

Passkeys are always strong
We no longer have to remember long and complex passwords
Passkeys are phishing-resistant
In a data breach, passkeys are not exposed

How Have Passkeys Come About?

How did they come to be? Passkeys use two things:

FIDO (Fast IDentity Online) authentication
A means to securely retrieve the FIDO private keys for use

The evolution of security and, more specifically, authentication has led us to this elegant and simple authentication method for the user.

What is FIDO Authentication?

FIDO is a way to log in securely using a digital signature. How this happens is that FIDO is comprised of two pieces of information:

A private key
A public key

When we want to log in, let's say, to LinkedIn using a passkey, LinkedIn sends some information to our browser or application. The browser connects to the passkey store, which causes the user to perform biometric verification with a fingerprint or facial recognition. Once confirmed, LinkedIn sends a new, unique piece of information to the browser and passkey store. The passkey store uses the private key to encrypt it. The browser then sends the information back to LinkedIn. Then LinkedIn takes the public key, decrypts it, and checks if it matches what was initially sent. If it doesn't, the login request fails, but if it does match, we're allowed access to our individual LinkedIn account.

This process is called asymmetric encryption, in which two different keys are used for encrypting and decrypting. The private key is used for encrypting, and the public key is used for decrypting. The private key is kept secure in the passkey store and never disclosed, while the public key can be shared with anyone. In the case of authentication, the public key is stored in the app or website, requiring authentication. The public key cannot crack what the private key is.

Let's take an example to see that in action, where we have the spell hocus pocus as the private key and the spell alakazam as the public key:

We start logging in to LinkedIn using our browser with a passkey.
The browser then connects with the passkey store.
The passkey store prompts the user to authenticate with their fingerprint or facial recognition and lets the browser know when the passkey store is ready.
LinkedIn sends the message "rabbit" to our browser so that the browser can show it has the correct passkey.
Our passkey store gets the message from the browser and encrypts it, using the spell hocus pocus to get the new message "watermelon".
The passkey store forwards the message to the browser, which sends the message "watermelon" back to LinkedIn.
LinkedIn takes the message "watermelon" and decrypts it using the alakazam spell to get the message "rabbit".
LinkedIn verifies that it matches what it sent initially.
LinkedIn lets us log in to our LinkedIn account.

Where Is the Passkey Stored?

Updates are rolling out to support managing passkeys by Google, Apple, and Microsoft, along with password managers. There are some differences between what we can do with each:

Google allows us to use passkeys with all of its Android apps and Chrome browser
Apple allows use with Mac, iPad, and iPhone along with its Safari browser
Microsoft allows use with Windows devices and the Edge browser
Password managers will allow passkey use across all of the devices that support the password manager

Generally, each of the different stores allows the passkeys to be synced through the cloud, so once we have our passkey stored in the Google password manager, any mobile device we use that Google account with will have access to that passkey.

What if We Need the Passkey on Another Platform?

Let's say we've set up a passkey on Apple's keychain, and now we need to log into our Windows device. We can choose to use a passkey from another device.

Screenshot of the Passkey prompt from github.com

We can scan the QR code with our iPhone and choose the passkey to log in. We would then be given the option to save a passkey. Then, we would have different passkeys for Apple and Microsoft. Each allows us to log in, and each passkey is different.

What Does Setting Up a New Passkey Look Like?

Some websites and applications have made setting up passkeys simple. However, others require a little more work. The directory https://passkeys.directory lists all the websites, apps, and services that use passkeys for signing in. We can quickly check how to set up each app and website.

Example of the instructions for setting up a passkey for Adobe

How Secure Are Passkeys?

We talked about how authentication uses private and public keys earlier. When we set up a new passkey, a new private key and matching public key are generated. The private key is securely stored in the service we use to manage the passkeys, which could be Google's Password Manager, Apple's iCloud keychain, Microsoft's Password Manager, or the password manager we choose. The private key never leaves that store. The public key is stored on the website, app, or service that we're setting up. To make use of the passkey, we need to authenticate. The authentication to access the passkey is a biometric check, such as logging in with a fingerprint or facial recognition.

What Does It Mean in a Security Breach?

For a security breach of an application, the application would have the public key, which we're okay with anyone having, as it's public. The public key doesn't allow the "bad actor" to log into our account, so we remain secure. However, if we still have a password stored on the application, we must reset it immediately. If the password is not strong or re-used, we are left quite vulnerable while using a weak password.

How Do Each of the Authentication Types Compare?

The hardware security key is the most secure since it cannot be copied or shared; only the holder can use it. Using only a password is the weakest since it's one form of authentication that can be phished and set up weakly. Next, multi-factor authentication adds to the security level, while the passkey is seen as more secure again. For companies that want only one person to access a key, a hardware security key meets that need as it can only be easily used by co-located people. Passkeys and hardware security keys would ideally be used with Multi-Factor Authentication (MFA) to ensure one of the forms has not been stolen by a bad actor.

From weakest to most secure: the different types of authentication

Could We Use a Hardware Security Key as A Passkey?

Since both hardware security keys and passkeys use FIDO authentication, some websites let us register a passkey as a security key or register a hardware security key as a passkey. However, how each website or app intends to use them could differ, so it's worth noting how we log in. Passkeys could be designed to be used instead of a password, and then a second form of authentication could also be used. For a hardware security key, it may be that a password is entered first, and then the key is used as a second form of authentication. This could mean we must keep a password for a security key, while with a passkey, we could go passwordless.

Where Are We in Terms of Moving Fully Passwordless?

As of May 2024, we're seeing the adoption of passkeys by more applications and vendors. However, we're not at the point where every application has moved over to use passkeys. Dashlane is seeing a 70% conversion rate from passwords to passkeys as of October 2023, where users are jumping on board using passkeys. If we put that into perspective, those Dashlane users are already password savvy, have realized the need for a password manager, and have seen the benefits of passkeys. However, many users need to learn what passkeys are and why they should use them. So we have to work to educate people and update our applications to support passkeys. At some point, we will have widespread passkey adoption, and applications can start to test switching off their password support across the application or per user so that they no longer are needed.

Is MFA Going Away?

What does the move to passkeys and passwordless mean for MFA? From what we're seeing in the industry, MFA will continue as a way to ensure that users are who they say they are. Users can log in with the passkey and then use another form of authentication to verify their identity. We should continue to use additional forms of authentication along with our passkeys.

Conclusion

We've learned that a world in which we are passwordless is coming closer. While we may not be there just yet, a lot of work is being done to get us there. Since we still have passwords, we have to make sure they are secure, even if we start to primarily use passkeys, as the passwords could get exposed in a data breach. As we move on with our day, we should look for opportunities to use passkeys, set them up, and post comments on how our move to passkeys is going.

References

What is authentication: https://auth0.com/intro-to-iam/what-is-authentication
Asymmetric encryption: https://www.cloudflare.com/en-gb/learning/ssl/what-is-asymmetric-encryption
Passkey Directory: https://passkeys.directory
FIDO Passkey Primer IBM: https://youtu.be/wN5lpttf_Hc?si=YGWdwogvjiyOgnsg
Google blog on https://developers.googleblog.com/en/password-manager-dashlane-sees-70-increase-in-conversion-rate-for-signing-in-with-passkeys-compared-to-passwords

Credits

The title image is from Dreamstudio AI.

Password Management: The Basics

Gearoid O'Treasaigh — Thu, 02 May 2024 14:08:47 +0000

Happy World Password Day! (In 2024, it's being celebrated on May 2nd). Remembering loads of passwords is an absolute pain. As we work in corporate jobs, we find that the number of personal and professional passwords we have continues to grow, along with having to log into systems numerous times a day. In general, employees manage 191 logins and log in 154 times a month, with each login taking, on average, 14 seconds, causing us to spend at least 36 minutes entering passwords per month. Let's look at why a password manager should take care of it rather than tracking them all in our heads or on a scrap of paper.

The Impact of a Data Breach

According to Statista's report, 6.43 million data records were leaked during the first quarter of 2023. When these data breaches occur, the leaked data may include our email addresses and passwords. This breach can start a chain reaction of "bad actors" accessing our accounts, locking us out, and gaining access to further accounts if they have access to the email account. This exploit can further snowball if the same password is used on all accounts. The "bad actor" can gain access to our email. They use the email information to understand the services we're signed up for and access them using the same password.

Using the same password across accounts is like using the one key for all the locks in an entire town and having thieves steal the key. They can then go through the contents of every building, see what is there, vandalise, and steal whatever they want. The impact financially and mentally would be huge.

Detecting Data Breaches

Google One provides scanning for our email addresses on the dark web, which lets us know the data breaches where our email addresses were exposed. The website Have I Been Pwned (HIBP) allows us to check on any email address and see if it's been exposed through a data breach. There are also complete identity monitoring services that keep track of our email addresses, banking details, passport information, driving licence, and social security numbers. These complete services usually come at a cost.

Protecting Users From Data Breaches

HIBP provides a free service to check if a user's password has been compromised in a data breach. The HIBP API can be integrated into the sign-in or password update services to notify users that the password has been compromised. Ideally, when updating a password with a known compromised password, the service would block that password from being used with helpful information. HIBP doesn't publish the companies that use the API on their platforms, but as users, we can ask for the platforms to have this feature, and if we're in the privileged position of creating the applications, we can work to include this feature.

Why Do We Need a Good Password?

Along with the data breaches that may show our passwords on the dark web, hackers also try to break into our accounts by using software to guess our passwords. Below, we can see that the simpler the password is regarding character type, the easier it is to crack, even when the password length is increased.

Source: https://www.hivesystems.com/password

However, suppose we use a previously stolen password, simple words, or the same password across multiple sites. In that case, the table above will turn purple as each password will be forced instantly, no matter the character combination or length. This scenario is because hackers will start with standard, easy or already-known passwords rather than from scratch.

Why Do We Re-Use Passwords?

Remembering long and complex passwords is tricky unless we have a photographic memory like Sheldon Cooper from The Big Bang Theory. Generally, we need to have memorable passwords, and having so many accounts with the ever-increasing number of accounts we use, it's tricky to keep track of all the passwords. Some strategies to deal with this are to re-use passwords or have a base password which slightly changes based on the name of the service being used. In the 2021 report from LastPass, 92% of people know that re-using the same password or a variation is a risk. However, more than learning is needed to cause people to take action.

Good Security Practices

According to Bitwarden, the six good security practices we need are:

Check if our password has been pwned: we are checking to see if the password has been exposed in a data breach.
Ensure that we have a strong password: if we don't have a password manager that provides a password generator, we could use Bitwarden's strong password generator to create a password. If we have a password that we think is strong and want to check it, we could use Security.org's password checker.
Embrace two-factor authentication: a report by Comparitech says that 99.9% of all attacks are blocked by multi-factor authentication (MFA). For the small percentage that MFA doesn't block, hackers will use social engineering, MFA fatigue, or other means to obtain the additional form of authentication needed.
Stick to encrypted sharing methods: using our password manager's sharing facility is an excellent way to go.
Avoid re-use altogether: update the passwords for any accounts where our password has been re-used.
Use a password manager: Techradar has a good review for 2024 that compares password managers and recommends them for different life scenarios.

Taking Password Management Seriously

Using a password manager is a way to strengthen our password security, remove the cognitive load of remembering all our passwords, and speed up our ability to log into platforms and services. The National Cyber Security Centre in the UK defines it as:

A password manager is an app on your phone, tablet or computer that stores your passwords, so you don’t need to remember them

Along with storing the password, a good password manager makes it frictionless to enter, lets us know if a password is re-used or weak, alerts us if our password has been compromised, and can manage our second-factor authentication. The password manager can also sync the passwords across all the platforms we need to enter our passwords.

According to a 2022 Security.org report, users who do not use password managers are three times more likely to experience identity theft than those who do.

Application Password Security

Over time, applications have become more sophisticated in how they store passwords. Initially, they might have been stored in plain text in the database, but now they are transformed by a process which cannot be reversed. Over time, these transformation processes are getting more sophisticated.

In a data breach, the leaked passwords should be the transformed version, so this slows down "bad actors" as they try to figure out how the passwords have been transformed, and the transformation takes time. To speed the process up, they will take known passwords that have been transformed and see if they match what has been leaked, as they will be immediately able to enter those accounts. This is why we must change our passwords after a data breach and ensure they are different across accounts. If we have a good password, it slows them down from cracking it and gives us time to change it before they access our account.

What Password Manager Should We Use?

Some free password managers are iCloud Keychain, Google Password Manager and Firefox Password Manager. These are a good start; however, they have limitations and are tied to the browser they are associated with. This means the iCloud keychain works with Safari, Google Password Manager with Chrome, and Firefox Password Manager with Firefox. Suppose we're finding that we need to enter passwords outside of our browser and have to try and find the password, or we are defaulting back to inadequate password behaviours. In that case, it may be time we looked into dedicated password managers.

When looking for a password manager, we should look for one that easily syncs across all devices and makes it easy to save and enter our passwords at a minimum. Once we have entered our password for the password manager or used our fingerprint, for example, to log in, we should be able to choose in one click which accounts we want to use to log into a service. Some password managers will automatically enter our credentials in the app or website. A reputable review site can save us the hard work of comparing the different services. An example is the Techradar review for 2024. On the list, there are free and paid solutions.

Starting Our Life With a Password Manager

Once we've chosen our password manager, we must enable our devices and browsers to use it seamlessly. This might be apps or browser extensions. Let's take Bitwarden and 1Password as our examples since Bitwarden is currently the best free password manager available, according to TechRadar, while 1Password is used by many businesses. We need to install the apps and extensions to get started using them. Both websites provide handy download pages:

Bitwarden: https://bitwarden.com/download
1Password: https://1password.com/downloads

At the end of installing everything, we should have the following:

A desktop app
Extensions for each browser we use, e.g. Chrome, Safari, Edge…
The mobile app

When setting up the mobile app for Bitwarden, they have a help page on setting up autofill and unlocking using biometrics, as they are necessary to make using the app as easy as possible.

Password Checkup

Some password managers will provide a service to score all our passwords and let us know where we may be exposed. 1Password provides Watchtower, which identifies the following:

Identify vulnerable logins imported from LastPass: LastPass had data breaches, and this check informs us where we might be vulnerable.
Find compromised websites and vulnerable passwords.
Find websites that support passkeys.
Identify re-used and weak passwords.
Find unsecured websites.
Identify logins that support two-factor authentication.
Check for expiring items
Find duplicate items.

Ideally, we want a perfect score across the board, but the reality is that we can do what the websites allow us to do. This means that any accounts that limit us to having PINs or short passwords will either show up as being vulnerable or having a weak password. In these cases, we need to ensure that if there are any second forms of authentication, we have them enabled so that if a hacker blows their way through, they are blocked by MFA, which we read blocks hackers 99.9% of the time. Banks are notorious for having very weak password or PIN protocols, and they must combine them with apps, one-time passcodes and card readers.

One-Time Passcodes

Another feature our password manager hopefully has is the ability to store one-time passcodes. These are a form of second-factor authentication, set up by scanning a QR code. Once set up, the codes change every thirty seconds. The benefit of having them in our password manager is that they are automatically entered when needed rather than being retrieved from another app. 1Password has a guide to help us through the process of setting up one-time passcodes.

What's next?

Since it's World Password Day, we can level up our password management skills and ensure we're not vulnerable. If we don't have a password manager, it's an opportunity to set one up, as it's easy and will save us time. We can bite the bullet and change any re-used passwords. Also, look at our vulnerable and weak passwords in our password manager and tackle a few of them. Over time, we can improve our password management score.

Conclusion

Password management is a problem that we all have to tackle. Keeping track of passwords in our heads and coming up with unique, strong passwords is challenging. Rather than having this cognitive load, we've seen the benefit that password managers bring. The only question left is, what will it take us to make the simple move of setting up our password manager and living the life of not having to remember loads of passwords and instead our one password manager password?

References

LastPass Reveals 8 Truths about Passwords in the New Password Exposé: https://blog.lastpass.com/posts/2017/11/lastpass-reveals-8-truths-about-passwords-in-the-new-password-expose
Data Breaches Worldwide: https://www.statista.com/topics/11610/data-breaches-worldwide/#topicOverview
Google One Dark Web Report: https://one.google.com/dwr/dashboard
Have I Been Pwned: https://haveibeenpwned.com
Have I Been Pwned Password Checker: https://haveibeenpwned.com/Passwords
Have I Been Pwned Password API: https://haveibeenpwned.com/API/v3#PwnedPasswords
Bitwarden's Strong Password Generator: https://bitwarden.com/password-generator
Password Manager tips from the National Cyber Security Centre in the UK: https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers
Hive Tech Password: https://www.hivesystems.com/password
The 2021 Psychology of Passwords Report: https://www.lastpass.com/resources/ebook/psychology-of-passwords-2021
6 Things to Keep Your Passwords Secure: https://bitwarden.com/blog/6-things-to-keep-your-passwords-secure
Password Statistics: https://www.comparitech.com/blog/information-security/password-statistics
3 Techniques to Bypass MFA: https://securityscorecard.com/blog/techniques-to-bypass-mfa
Password Manager Annual Report 2022: https://www.security.org/digital-safety/password-manager-annual-report/2022
Best Password Manager of 2024: https://www.techradar.com/best/password-manager
Password Manager Mobile Apps: https://bitwarden.com/help/getting-started-mobile
Use Watchtower to find the account details you need to change: https://support.1password.com/watchtower/
Setting up one-time passcodes in 1Password: https://support.1password.com/one-time-passwords/

Credits

The title image is from Dreamstudio AI.

A Change in Identity — From Developer to Craftsperson

Gearoid O'Treasaigh — Fri, 26 Apr 2024 12:11:08 +0000

In this blog article, we'll explore the principles of software craftsmanship, the benefits of becoming a software craftsperson, and how we can improve our skills. We'll look at a growth mindset and some resources to help us on our journey. Let's dive in!

Witnessing Craftsmanship

Let's say we enter a home and face this beautifully crafted staircase. Why do we even think this is beautiful? What comes to mind is the skill and work that has gone into it. The craftsperson has had to think about how to ensure that it's only connected at the top and the bottom, it can support the weight and doesn't fall under its weight or when there are people on it, climbing up and down. There is also the craftsmanship of the handrail and the curved wall.

Source: Microsoft Designer

Why does this craftsmanship strike us or cause us to take notice? Is it because we can see the care taken in creating the stairs? Or maybe we can see that a lot of skill went into it? Or perhaps it's because the knowledge of physics has been used to make it appear that it defies gravity?

What Is Craftsmanship?

From Collins dictionary, we can see the definition is:

Craftsmanship is the quality that something has when it is beautiful and has been very carefully made.

What Is Software Craftsmanship?

The Manifesto for Software Craftsmanship describes it as follows:

Not only working software,
but also well-crafted software.
Not only responding to change,
but also steadily adding value.
Not only individuals and interactions,
but also a community of professionals.
Not only customer collaboration,
but also productive partnerships.

If we simplify it, a software craftsperson cares about all aspects of their work.

What Separates a Software Developer From a Software Craftsperson?

While software developers are primarily concerned with the code they write, software craftspeople take a broader approach. They manage the code, its maintainability, deployability, and application monitoring. This results in robust applications that meet user needs and bring joy to users. Software craftspeople continually hone their skills to create better applications that perform well in production without constant supervision. Quality applications are made through thorough testing and proactive monitoring that alerts the team to potential issues.

Why Choose to Embark on the Path of a Software Craftsperson?

For anyone who connects with the principles of software craftsmanship - well-crafted software, steadily adding value, being part of a community, and having productive partnerships with their users - the path of software craftsperson is a good fit. It's a journey where we continually learn the craft of building software in an evolving landscape. As software craftspeople, we're not happy just throwing things out the door but instead focusing on quality and stability. We also want to build up a community of people who can create high-quality software so that we all can learn from each other and build on what others are learning.

Why Did I Make the Transition to Software Craftsperson?

Different people have different journeys, motivations, and experiences regarding craftsmanship. Let me tell you my story. I had worked in software development for over ten years when I joined a software craftsmanship dojo. At the start, I didn't understand the impact that the dojo would have. I thought I was only there to learn Test Driven Development (TDD). Previously, I had learned TDD by participating in code retreats. Still, I needed help incorporating the new working method into day-to-day coding outside of fixing defects or working on straightforward features. The dojo allowed me to learn hands-on each week, developing the skills that drive my development through testing. This mindset progressed to the point where I now find it hard to think about developing without using TDD.

The move to software craftsmanship made sense as a path for my career since I had worked on many projects where we were fighting the storm of trying to develop the application, dealing with production issues, and managing our technical debt. This storm led me to burnout and disillusionment in the software developer career. Having an opportunity in the weekly two-hour dojo to learn new skills and have hands-on experience meant that it was two hours that I looked forward to the most in the week.

Outside the dojo, I practice a daily coding exercise, use what I learned in my work, and consider new ways of doing things. This practice has led me to develop skills to quickly deploy new, well-tested applications with testing, monitoring, and scanning toolchains, improving my DORA and DASA scores.

Growth Mindset

Moving to become a software craftsperson will mean that we can see that there are ways that we can grow. Rather than seeing our skills as something that can't be changed, we realise we can improve incrementally over time. So, rather than having a fixed mindset where we think our skills limit our growth, we have a growth mindset. Referring to the previous post, building habits and working on getting 1% better is fundamental to creating a growth mindset. This growth mindset doesn't just stop with us; it should also include growing the people around us. Having a growth mindset is vital to building a community of software craftspeople.

Benchmarking Our Skills

To understand where we are with our software craftsmanship skills, we can use the DevOps Agile Skills Association (DASA) DevOps quick scan to know where we are with our skill levels. Then, we can work on improving the areas that need addressing. The quick scan looks at 12 different areas:

Business Value Optimisation
Business Analysis
Architecture and Design
Test Specification
Programming
Continuous Delivery
Infrastructure Engineering
Security, Risk, Compliance
Courage
Team Building
DevOps Leadership
Continuous Improvement

Each area will receive a score from one (novice) to five (master). The report will help us understand what is required at the next level and how to improve.

Methodology for Developing Quality Cloud Applications

A methodology called the twelve-factor app is used to build software-as-a-service applications that can scale without significant changes to tooling, architecture, or development practices. The created app uses declarative formats for setup automation, has a clean contract with the underlying operating system, and minimises divergence between development and production. We can apply the methodology to apps in any programming language and can use any combination of backend services. We can build the best software-as-service application possible by following the twelve factors.

Getting Started on Our Journey as Software Craftspeople

Understanding more about software craftsmanship can always be helpful. There is a link to further reading on the Manifesto for Software Craftsmanship. There you will see, among others:

A title missing from that list is:

The Software Craftsman by Sandro Mancuso

These titles help us further understand software craftsmanship and what we must look at in our journey. We should improve ourselves and those around us to build well-crafted software.

Conclusion

Changing our identity from a developer to a software craftsperson leads us to build well-crafted applications. The key to the change is treating it as a journey, and as with any journey, we can take many different routes. We've talked about some of the resources that might be useful, and we can use the resources that entice us and keep us going along the journey. Transforming 1% daily will mean we will have significantly impacted how we work for a year and beyond.

References

Craftsmanship Definition: https://www.collinsdictionary.com/dictionary/english/craftsmanship
Manifesto for Software Craftsmanship: https://manifesto.softwarecraftsmanship.org
DASA Quick Scan: https://scan.devopsagileskills.org
BriX Software Craftsmanship Dojo: https://swcraftsmanshipdojo.com
DORA Quick Check: https://dora.dev/quickcheck
The Twelve-Factor App: https://12factor.net
Apprenticeship Patterns: Guidance for the Aspiring Software Craftsman by Dave Hoover and Adewale Oshineye: https://www.amazon.com/Apprenticeship-Patterns-Guidance-Aspiring-Craftsman/dp/0596518382
Software Craftsmanship by Pete McBreen: https://www.amazon.com/Software-Craftsmanship-Imperative-Pete-McBreen/dp/0201733862
The Pragmatic Programmer by David Thomas and Andrew Hunt: https://www.amazon.com/Pragmatic-Programmer-journey-mastery-Anniversary/dp/0135957052
The Software Craftsman by Sandro Mancuso: https://www.amazon.com/Software-Craftsman-Professionalism-Pragmatism-Robert/dp/0134052501

Credits

The title image is from Dreamstudio AI.

Building Elite Teams Starts With Habits

Gearoid O'Treasaigh — Wed, 17 Apr 2024 09:10:00 +0000

Going from a mediocre team to an elite team can seem daunting, especially when we need to figure out where to start. The DevOps Research and Assessment (DORA) can be our north star, helping us build the habits and practices we need to be elite. We'll look at DORA, the challenges of building habits, and how to form habits that stick.

What Is DORA?

The DevOps Research and Assessment (DORA) report focuses on four key areas to measure elite teams:

Lead time: How long does it take from code committed to running in production
Deploy frequency: How often does our organisation deploy to production
Change fail percentage: How often do we need to rollback, patch, hotfix, or fix forward after a change
Failed deployment recovery time: How long does it generally take to recover service

The challenge here is going from knowing about those four areas that need to be worked on so that we go from being a mediocre team to an elite squad scoring a ten on the DORA quick check. The four measurements of an elite team are:

Lead time is less than one hour
Deploy frequency is on-demand (multiple deploys per day)
The change fail percentage is ideally 0%
Failed deployment recovery time is less than one hour

To see where our team are currently, try the DORA quick check.

This blog will focus on the tools, technologies, practices, culture, and philosophies that will help teams become elite. Improvements in our work take time since we need to break old habits that don't serve us well and build new ones. This blog will keep that in mind as we move through different topics. Each post will have an invitation to try out what we learn. If there are any questions or issues that need to be covered, make use of the comments section to submit the question.

The Challenges of Forming New Habits

We've all seen New Year's Resolutions and possibly have had some of our own. According to the Forbes report in 2024, 53% of those surveyed had given up on their New Year's Resolutions by the end of March. For many people, sticking to a new resolution or goal is challenging. There is now a day known as Ditch New Year's Resolution Day, which during 2024 fell on January 17th. While the media paints a picture of a significant stumbling block, statistics show it's less troublesome than perceived. We can see the reality of the quit rate in the chart below:

datawrapper.dwcdn.net

Why Do People Fail in Their New Resolutions/Habits?

In an article by James Clear, he outlines five reasons our new habits might fail:

Trying to change more than one thing at a time
Setting big goals without breaking them down into smaller steps
Seeking a result, not the ritual
We have not changed the environment in which we perform our good habits, so we quickly revert to our bad habits
Assuming small changes don't add up

However, there are ways to set ourselves up for success. In the book Atomic Habits, James talks about three key lessons:

Small habits make a big difference.
Forget about setting goals. Instead, focus on the system.
Build identity-based habits.

The Impact of Habits

Building identity-based habits means, for example, instead of saying I go running, we say we're runners, or instead of saying we paint, we say we're painters. There is a subtle difference in the wording, but if we start to think we're runners, that can lead to thinking, what does a runner do? It could mean changing the food we eat, how often we train, when we train, and the goals we set for ourselves.

If we focus on getting 1% better every day in one year, we'll end up being 37 times better than when we started. It means that anything we set our mind to can profoundly impact us. It may not be noticeable at first, but as the changes compound over time, we will notice that we're a different person than when we started. Like a cliff being eroded over time by the waves, at the start, we overlook the impact each wave has, but over time, we see how the cliff face changes in its shape.

How Do I Go About Creating and Maintaining Habits?

In the Habits Cheatsheet, James Clear talks about the four laws to create a good habit:

The 1st law (Cue): Make it obvious
The 2nd law (Craving): Make it attractive
The 3rd law (Response): Make it easy
The 4th law (Reward): Make it satisfying

As an example, let's say we've decided that we want to drink more water every day. We could make it obvious by placing a water bottle on our desk so that we can't miss it. Having a nice bottle or putting some lemon or mint in the water would be attractive. To make it easy, we fill the water bottle the night before so we don't have to think about it in the morning. Then, to make it satisfying, we could have a calendar above our desk where we put a sticker to mark each day that we've managed to empty our water bottle.

How Do I Beat My Old Bad Habits?

Again, in the Habits Cheatsheet, there are the inverse laws for avoiding your bad habits:

Inversion of the 1st law (Cue): Make it invisible
Inversion of the 2nd law (Craving): Make it unattractive
Inversion of the 3rd law (Response): Make it difficult
Inversion of the 4th law (Reward): Make it unsatisfying

Let's say we want to watch less TV. We could make it invisible by placing the TV out of view, moving it to another room or inside a cupboard. We might unsubscribe to our streaming accounts and TV subscriptions to make it unattractive. To make it difficult, we place the TV's power cord or remote control in another room. Finally, to make it unsatisfying, we could have an accountability partner that we check in with, with whom we will have to confess that we ended up watching TV.

The Next Steps

As we reflect on our DORA scores, we have an opportunity to identify areas where we can improve by forming new habits. The DORA quick check provides guidance on key areas we can work on to improve our score. In our team, we can decide what to work on to raise our score, moving us from developers to software craftspeople. Then, we can form habits to help us make lasting changes.

For example, if we identify a need to reduce lead time, we may realise our review process is slowing us down. When we explore it, we recognise we need to set aside time to review the code. We could take a habit-stacking approach. For example, when we open our laptops in the morning (our current habit), we first review all of the pull requests that are pending review for us. Another could be first to review pull requests after our lunch break.

To make it attractive, we might realise that the pull requests lack enough information, so we add a pull request template so all the information is there. Then, to make it easy, we could have a simple way for people to launch the application and see the change. To make it satisfying, we could recognise a person each week who does a great job of meaningful reviews and helps speed up the delivery of features.

Conclusion

We've explored the DORA report and how it measures teams' ability to deliver software. We've examined how habits are the foundation of meeting our goals/resolutions, looking at good and bad habits. Our challenge is to move from software developers to software craftspeople, using our daily habits to help us transform.

References

State of DevOps Report: https://cloud.google.com/devops/state-of-devops
DORA quick check assessment: https://dora.dev/quickcheck/
Forbes article on New Year's Resolutions Statistics: https://www.forbes.com/health/mind/new-years-resolutions-statistics/
5 Common Mistakes That Cause New Habits to Fail: https://jamesclear.com/habits-fail
Atomic Habits book by James Clear: https://jamesclear.com/atomic-habits
Summary of the Atomic Habits book by James Clear: https://jamesclear.com/atomic-habits-summary
Continuous Improvement - How It Works and How to Master It: https://jamesclear.com/continuous-improvement
Habits cheatsheets: https://jamesclear.com/atomic-habits/cheatsheet
Habit stacking: https://jamesclear.com/habit-stacking

Credits

The article image was generated using Microsoft Designer.

Introduction to Pull Request Stacking

Gearoid O'Treasaigh — Wed, 10 Apr 2024 09:20:00 +0000

Pull Request (PR) stacking is another name for stacked diffs, a concept that has existed for several years. We’ll go through what it is, the tools you can use and where PR stacking may be of benefit.

What is PR Stacking?

In traditional Pull Requests (PRs), the developer makes all of the changes in one or more commits and then opens the PR to merge the change back into the main branch. The approach in PR stacking instead is to separate the functionality to be delivered into pieces. Let’s say we’re working on a new POST request API. 1️⃣ The first PR could be the happy path where what we submit works okay, and that would be opened against the main branch. 2️⃣ The next piece of work could be the error scenario, when the payload is too large, and that PR would be created to merge into the branch from the first PR. 3️⃣ Another PR could be added for the scenario when the data being sent is not in a format the API can understand, and would be stacked on top of the second PR.

A PR stack moves you away from having to deliver your big change in one go with a long review but rather break it down into pieces so they can be reviewed quickly.

What are the benefits of PR Stacking?

easier to review — the smaller changes make it easier for the reviewer to understand what is happening and they get to know the code better.
catch problems — with smaller PRs it is easier to see when a bug is introduced both for the author and reviewer.
less waiting — the reviews are quicker since they are simple and developers can continue developing upon their changes while waiting for reviews.
improved communication — using stacked PRs means there is a lot more communication about the code. This is very useful when multiple developers are working together on one feature.
clearer code changes — since the PRs are isolated to a single change it’s clearer what each change does and if coupled with good PR descriptions, it can educate the reviewers.

What tool should I use for PR Stacking?

You could perform PR stacking with the git command but it doesn’t offer any of the features of a dedicated tool such as:

applying the changes from the current PR to all of the PRs that are stacked on it by doing an automatic rebase.
annotating your PR with the details of the entire PR stack.
rebasing and restacking PRs when you merge or close a downstream PR. Below you can see some available tools, as of April 2024.

Dedicated tools	Tools with additional features
ghstack	Git Tower
git-stack	Sapling
Graphite
SPR

Using PR stacking in a community project

A challenge in community (open source) projects is that the dependent libraries can have new security vulnerabilities or coding practices have changed a lot. Robert C Martin has a quote “Always leave the code you’re editing a little better than you found it”. When you want to update a feature in the project, you want to leave it better than when you came to it. Rather than confusing the reviewer with what is added and refactored, you could perform your refactoring in the first PR to make the code clearer. In the next PR, you could update the tests and functionality. Another PR could be stacked upon that to fix up library dependencies that are out of date.

The benefit to the reviewers is that they can see the changes and why with each PR, an important aspect in community projects which helps with communication. This leads to faster reviews and the opportunity to continue building the functionality while feedback is gathered.

What are the next steps?

Now that you’ve learned about PR stacking, experiment with the different PR stacking tools. Look for opportunities to use the tools with your next feature or open-source submission. As with any experiment, take note of the impact that PR stacking and the tool has on your work.

DEV Community: Gearoid O'Treasaigh

Password Management: Passwordless Login

What Is Authentication?

What Are Passkeys?

How Have Passkeys Come About?

What is FIDO Authentication?

Where Is the Passkey Stored?

What if We Need the Passkey on Another Platform?

What Does Setting Up a New Passkey Look Like?

How Secure Are Passkeys?

What Does It Mean in a Security Breach?

How Do Each of the Authentication Types Compare?

Could We Use a Hardware Security Key as A Passkey?

Where Are We in Terms of Moving Fully Passwordless?

Is MFA Going Away?

Conclusion

References

Credits

Password Management: The Basics

The Impact of a Data Breach

Detecting Data Breaches

Protecting Users From Data Breaches

Why Do We Need a Good Password?

Why Do We Re-Use Passwords?

Good Security Practices

Taking Password Management Seriously

Application Password Security

What Password Manager Should We Use?

Starting Our Life With a Password Manager

Password Checkup

One-Time Passcodes

What's next?

Conclusion

Further Reading

References

Credits

A Change in Identity — From Developer to Craftsperson

Witnessing Craftsmanship

What Is Craftsmanship?

What Is Software Craftsmanship?

What Separates a Software Developer From a Software Craftsperson?

Why Choose to Embark on the Path of a Software Craftsperson?

Why Did I Make the Transition to Software Craftsperson?

Growth Mindset

Benchmarking Our Skills

Methodology for Developing Quality Cloud Applications

Getting Started on Our Journey as Software Craftspeople

Conclusion

References

Credits

Building Elite Teams Starts With Habits

What Is DORA?

The Challenges of Forming New Habits

Why Do People Fail in Their New Resolutions/Habits?

The Impact of Habits

How Do I Go About Creating and Maintaining Habits?

How Do I Beat My Old Bad Habits?

The Next Steps

Conclusion

References

Credits

Introduction to Pull Request Stacking

What is PR Stacking?

What are the benefits of PR Stacking?

What tool should I use for PR Stacking?

Using PR stacking in a community project

What are the next steps?