I'm in a similar boat. 5-6 hours seems to be perfect. I typically go to bed between Midnight and 1AM. My alarm is set for 6:30AM, some mornings I am up before it, sometimes I hit the snooze button for that extra 7 minutes it gives me.

There is the odd time I go to bed between 3AM and 5AM, and still up before 7:00AM. I will admit those days are not a walk in the park, but I certainly don't go about my day like a zombie. I'm still functioning and get my work done, though I may be a little more irritable than normal.

For what it's worth, I'm in my mid-twenties. It's possible I'm still too young to value sleep.

Six or so years ago I was using a (fairly cheap) Virtual Private Server as a dev/testing box for a pet project of mine.

The VPS company was bought by a larger company, and prices were to double on the next billing period. I hastily chose a new provider without doing any research. I paid for 3 months of service in advance, got the container set up the way I like, migrated all of my data over, and was up and running.

2 months in the new provider vanished, along with all of my data. I wasn't very concerned about the months worth of money I had lost by not getting the 3 months I had paid for, I think it was only about $15. "Okay," I thought. I'll just pull my data out of my nightly backups and move on. It turns out I forgot to adjust my local cron script that pulled the data over rsync to the new IP address. My backups had not been pulled in over 2 months.

Luckily it wasn't very important, as it didn't make me any month and was mostly just for fun. I ended up starting over from scratch and ended up with a better system anyway.

I learned my lesson, though.

I have yet to hear any a solution to this problem from you. So far just a repetitious whining about how what I wrote is just so horribly broken. I see even worse solutions implemented in sites that may cause even more havoc in a persons life, such as financial institutions, and government departments.

What would you do? How would it be any better? Please provide full details. If all you are going to do is bitch and whine but not bring any solutions to the table, you're even WORSE than me. At least I'm making an effort.

Yeah, unfortunately the web hosting companies that are handing out dedicated IPv4 addresses are still considered small fry to companies like General Electric, Hewlett Packard, Ford Motor Company... see https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks

I was not aware of scrypt. Thank you for pointing it out. It appears to be pretty new. PBKDF2 has been a published standard since the year 2000.

Wow. Anger problem much?

I see your point. We make it abundantly clear what the security questions are for upon registration, and encourage the users to answer correctly. The questions we ask are not something that would normally be found in a users inbox, and most average users do not index and archive their e-mail. I do, personally, but I archive anything older than 2 years locally on my workstation(s).

We'll consider the idea of skipping of sending a new password to the user. Thanks for your input.

In 2015, passwords should be stored in a one-way hash. Preferably in the PBKDF2 format.

Your first example is acceptable in my opinion, as that password was probably random and (essentially) single use. After logging in, you should immediately change the password to something you can remember.

The second example, however, is a big no-no in my books. I develop web based applications for a living. The only time we send a password over e-mail (or SMS) is when a user has locked themselves out of their account, and are using the account recovery tool to regain access. This is how we handle it:
1. Click on "Forgot Password"
2. Enter your e-mail address (and username if different from e-mail address), click "Begin Recovery"
3. Send an e-mail with a verification URL for them to continue the process, this is to confirm they actually are the owner of the email address, and also to weed out people trying to use the recovery process maliciously.
4. Upon following the URL you will be prompted to answer two security questions you set up on registration from a set of predefined questions. You must answer both correctly to proceed. Internally, when this URL is hit, the account in question is flagged in the DB that it is now in Recovery Mode.
5. Upon answering the questions correctly, you will be e-mailed a single-use password you can log in with.
6. Upon logging in, you are required to change your password to something you can remember (or store in a password DB, like you should be doing).

I know it's long and cumbersome, but it works.

If they didn't want off-network users to use it, they would firewall it to just their subnets. I get they have a very large network that is ever expanding, and it may just be easier to not lock it to their subnets, but seriously it's not that hard.

I don't use my ISPs DNS because they resolve non-existent zones to some bullshit landing page in which they try to "help" users find what they were looking for, effectively breaking DNS in my opinion.

I don't use Google's because it sucked the last time I used it (when it was new, I suppose it is probably better now). Tracking isn't a real concern of mine in terms of DNS, although I do block Google Analytics via dnsmasq on my router. I just don't trust Google. They abandon services all the time. Quite frankly, I didn't expect their resolvers to stick around this long.

I own a web hosting business. We have a few servers in a datacenter. I run my own resolvers that are locked down to my /25 subnet, they resolve off the roots, specifically d.root-servers.net, and e.root-servers.net. Get less than 2ms on those.

At home, however, Level3 is still faster than any of the roots. :-/

Really depends on the nature of the software, I guess. For Malwarebytes it probably isn't the best idea, but at the same time it could easily de-reg the install ID upon uninstall.

There are various ways to do it. My example was one such way, that is all. There is no one-size-fits-all.

I've always used Level3, personally. Its anycast based, like Google's service.

Just pick 2 or more of the following:
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

It is even somehow faster than my ISP in terms of response time.

To expand on this... you should also generate an "Installation ID" upon validation, stored server and client side along with the key.

This prevents users from trying to activate the key on more than one system, and allows you to offer controlled multi-system installs if you so choose.

On update you validate both the key, and the installation ID.

In the event a user needs to move the software to another install, you can contact the licensing dept and revoke the previous installation ID.

Syncthing looks interesting. Even has an Android client to boot.
Thank you for sharing.

I currently use BTSync, but it seems I have problems every time I upgrade, having to recreate the shares and such. Kind of a PITA.
I also firewall it, so it doesn't sync outside of my home or office network, so, hopefully keeping any potential back doors out.

I agree. I don't use it... just the standalone client on Linux and KeePass2Android on Android.