Design Process What I’m Up To

Working on an article for the Auth0 blog

Tap to view my scribbling at full size.

I like drawing out my article ideas for the Auth0 Developer Blog before firing up the blog editor and typing. Here’s an example, which I was doodling this morning, which I made at the dealership while my car was being serviced.


My favorite remix of the “Bobby Hill / If those kids could read” meme

The “Bobby Hill / If those kids could read” meme. Panel 1: Bobby Hill tapes a sign to a classroom’s window that says “Using Jira doesn’t make you agile”. Panel 2: The teacher, holding the torn-down sign, saying to Bobby: “If those project managers could read, they’d be very upset.”
That boy is right. Found via Amir Barylko. Tap to view at full size.

This made me laugh out loud. I’ve seen teams use Jira in some shockingly un-agile ways.


Humor Process

A short guide to design and development methodologies

Comic by DESIGN THINKING! Comic. Click here to see the source. Thanks to David Eddy for the find!

Yet another one we can file under “Funny because it’s true.”

Current Events Process Tampa Bay

Tampa Bay Product Owner Meetup tonight: Stakeholder Management — Tips from FBI Hostage Negotiators

Poster for the 1998 film “The Negotiator”, featuring Samuel L. Jackson and Kevin Spacey.
If you haven’t seen this underappreciated 1998 film, check it out.

Looking for an interesting online meetup to attend tonight? I’ll be checking out Tampa bay Product Owner Group’s meetup, which has an intriguing title: Stakeholder Management — Tips from FBI Hostage Negotiators. It happens tonight from 6:00 p.m. to 8:00 p.m. on Zoom.

(Here’s the Zoom link for the event.)

Here’s the description of the event, taken straight from their Meetup page:

Product Management IS Stakeholder Management. Influencing and Negotiating is a big part of the role.

In this session, you will learn modern negotiation techniques applied to Stakeholder Management. This is a fun spin on Stakeholder management using the negotiation techniques Chris Voss outlines in “Never Split the Difference.” We explore modern negotiation techniques, then apply them to real-life scenarios.

We examine Mirroring, Labeling, Getting to Yes, and Open-Ended Questions in realistic Product and Stakeholder scenarios. We think we learn by applying, so this will have an interactive element to it!

Stay on top of Tampa Bay tech events!

Banner for the Tampa Bay tech, entrepreneur, and nerd events mailing list.Want to know when events like the one above are happening? Join the Tampa Bay Tech Events list and always be informed of what’s coming up in Tampa Bay!

Humor Process

We’ve all been there: “Let’s add one more feature!”

Hardware Process

Android *still* has a maximum passcode length of 16 characters

My new Android phone, a Motorola One Hyper, which I wrote about a couple of weeks ago, came out of the box with Android 10.

When it came time to set the passcode to unlock the phone, I found out that the longest device unlock passcode that even the most recent version of Android will accept is 16 characters. That was the case five years ago, and it’s still the case today.

Android’s “Choose Lock Password” screen is part of AOSP (Android Open Source Project), which means that its source code is easy to find online. It’s, and the limitation is a constant defined in a class named ChooseLockPasswordFragment, which defines the portion of the screen where you enter a new passcode.

Here are the lines from that class that define passcode requirements and limitations:

private int mPasswordMinLength = LockPatternUtils.MIN_LOCK_PASSWORD_SIZE;
private int mPasswordMaxLength = 16;
private int mPasswordMinLetters = 0;
private int mPasswordMinUpperCase = 0;
private int mPasswordMinLowerCase = 0;
private int mPasswordMinSymbols = 0;
private int mPasswordMinNumeric = 0;
private int mPasswordMinNonLetter = 0;

Note the values assigned to these variables. It turns out that there are only two constraints on Android passcodes that are currently in effect:

  • The minimum length, stored in mPasswordMinLength, which is set to the value stored in the constant LockPatternUtils.MIN_LOCK_PASSWORD_SIZE. This is currently set to 6.
  • The maximum length, stored in mPasswordMaxLength, which is set to 16.

As you might have inferred from the other variable names, there may eventually be other constraints on passcodes — namely, minimums for the number of letters, uppercase letters, lowercase letters, symbol characters, numeric characters, and non-letter characters — but they’re currently not in effect.

Why 16 characters?

16 is a power of 2, and to borrow a line from Snow Crash, powers of 2 are numbers that a programmer would recognize “more readily than his own mother’s date of birth”. This might lead you to believe that 16 characters would be some kind of technical limit or requirement, but…

…Android (and in fact, every current non-homemade operating system) doesn’t store things like passcodes and passwords as-is. Instead, it stores the hashes of those passcodes and passwords. The magic of hash functions is that no matter how short or long the text you feed into them, their output is always the same fixed size (and a relatively compact size, too).

For example, consider SHA-256, from the SHA-2 family of hash functions:

String value Its SHA-256 hash
(empty string) e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x 2d711642b726b04401627ca9fbac32f5c8530fb1903cc4db02258717921a4881
Chunky bacon! f0abf4f096ac8fa00b74dbcee6d24c18cfd8ab5409d7867c9767257d78427760
I have come here to chew bubblegum and kick ass… and I’m all out of bubblegum! 3457314d966ef8d8c66ee00ffbc46c923d1c01adb39723f41ab027012d30f7fd
(The full text of T.S. Eliot’s The Love Song of J. Alfred Prufrock) 569704de8d4a61d5f856ecbd00430cfe70edd0b4f2ecbbc0196eda5622ba71ab

No matter the length of the input text, the output of the SHA-256 function is always the same length: 64 characters, each one a hexadecimal digit.

Under the 16-character limit, the password will always be shorter than the hash that actually gets stored! There’s also the fact that in a time when storage is measured in gigabytes, we could store a hash that was thousands of characters long and not even notice.

My guess is that the Android passcode size limit of 16 characters is purely arbitrary. Perhaps they thought that 16-character passwords like the ones below were the longest that anyone would want to memorize:


The problem is that it doesn’t account for (theoretically) more secure yet easier to remember passwords of the “correct horse battery staple” method described in the webcomic xkcd, which can easily make passwords longer than 16 characters:

Tap the comic to read the original.

Based on usability factors, there is a point after which a password is just too long, but it’s not 16 characters. I think that iOS’ 37-character limit is more suitable.

Process Tampa Bay What I’m Up To

The final lap of UC Baseline: Python!

For the past four weeks, I’ve been spending over eight hours a day in a classroom in Ybor City, as a student in the inaugural cohort of UC Baseline, the cybersecurity training program offered by Tampa Bay’s security guild, The Undercroft.

We’ve taken the following courses under the tutelage of these instructors:

Course Instructor
Hardware 101
(5 days)
Networking 101
(5 days)
Linux 101
(3 days)
Windows 101
(2 days)
Infosec 101
(5 days)

There’s just one course left in the program: Python 101, which starts today! Considering that I’ve just come from teaching a Python course to beginners, I suspect that the instructors will have me:

  • Help instruct my fellow students,
  • Take on some harder Python programming assignments, or
  • Both (I suspect that this will be the case).

The Python 101 course will run from Monday to Wednesday. After that comes…

…the virtual job fair. The Undercroft will set up online interviews between UC Baseline students/Undercroft guild members and representatives from Tampa Bay security and security-adjacent companies looking to hire. I see some resume editing and LinkedIn profile polishing in my near future.

Friday will be devoted to graduation rituals, which include a solo Capture the Flag competition and a grad barbecue (socially distanced, of course — they’ve got a nice courtyard).

I’m looking forward to the week!