XKCD and London Bike App

I had to laugh at XKCD this morning. Thats nothing new, really, as it's usually funny, but in this case, it was very appropriate.

[caption id="attachment_1030" align="aligncenter" width="480" caption="XKCD: Password reuse"]XKCD: Password reuse[/caption]

(Original is here. CC-BY-NC)

It rings especially true for me at the moment. In London Bike App, I have put in a TFL scraper, but in order to make it work well, I have offloaded the actual scraping to a Google App Engine application (which also hosts the dock info and other stuff).

While it runs over SSL (so no one else can listen in), I had to change the normal way of loading stuff (a HTTP GET with parameters in the URL) and use a POST. Why? Because AppEngine lets me view the logs, which contain the full URL - so I'd be able to see everyone's passwords, and chances are, they would be reusable on other sites.

So yes. Use unique passwords where ever you can. PLEASE. It just makes sense.

And for those using London Bike App, here's some points which might put your mind at ease, if it's not:

  • Communications between your device and Google App Engine is over SSL, so it's secure and can't be snooped.

  • Communication between Google App Engine and TFL is over SSL, so it's also secure and can't be snooped.

  • Your username and password are never stored on the server, even in log files (I checked, and had to change how I did things before putting it live).