How to tell if a site takes security seriously

April 27, 2010
misc

Here are some easy ways you can tell if a particular site is serious about security:

  • Low limit on password length - If you see password requirements such as password must be no more than 12 characters this means that they are not hashing the password (or they don't understand how hashing works). You can hash any size string and it will always return a hash code of the same number of characters). It might make sense for the site to limit the password length to something like 100 characters, to prevent DOS attacks, hashing does use a small amount of CPU.
  • No special characters in password - If the site says password must not contain characters < > @, etc., this typically means that they do not hash the password. The hash string will always return a safe set of characters [a-z0-9] no matter what characters are in the password.
  • Email your password - If a site can email your password in plain text, then it is stored in plain text. The only exception might be if the email is sent when a temporary password is generated. But ideally the password should never be emailed since SMTP is not encrypted.
  • Lack of HTTPS Support - HTTPS is critical for security, even if your site doesn't accept credit cards. If the site asks for any data you would not like in someone else's hands make sure it supports HTTPS.
  • The site tells you if your username is correct but password is not during login - An attacker can use this information to find valid usernames on the site.


Related Entries

1 person found this page useful, what do you think?

Comments

The third is not necessarily true. They can also be using reversible encryption, versus hashing, so passwords are stored in the DB encrypted, then decrypted for sending. "No special characters in password" is also not always true. If it is an app that is often accessed for a mobile device, special characters can be difficult to enter, so some special characters are restricted to keep users from being unable to log in. Remember, password policies must be a balance of security and usability.
Timely comments. Just tried to change my Adobe PW. 12 Character max.
Hey Blogger,When you write some blogs and share with us,that is a hard work for you but share makes you
happly right?,yes I am a blogger too,and I wanna share with you my method to make some extra cash,not too much
maybe $100 a day,but when you keep up the work,the cash will come in much and more.more info you can checkout
my blog. http://bit.ly/9v1OH9
good luck and cheers!
Hello, thank you for these tips. They really make sense. However, many websites, even sites of respectable companies, might not use hashing or do not support https. I was checking the web on this topic, and there is an interesting additional video at http://www.tubesfan.com/watch/drupalcon-sf-2010-drupal-site-security-for-coders-and-themers/2 which tells about how to achieve security on your website. Purposed for coders and themers.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?