How to tell if a site takes security seriously
By Pete Freitag
Here are some easy ways you can tell if a particular site is serious about security:
- Low limit on password length - If you see password requirements such as password must be no more than 12 characters this means that they are not hashing the password (or they don't understand how hashing works). You can hash any size string and it will always return a hash code of the same number of characters). It might make sense for the site to limit the password length to something like 100 characters, to prevent DOS attacks, hashing does use a small amount of CPU.
- No special characters in password - If the site says password must not contain characters < > @, etc., this typically means that they do not hash the password. The hash string will always return a safe set of characters [a-z0-9] no matter what characters are in the password.
- Email your password - If a site can email your password in plain text, then it is stored in plain text. The only exception might be if the email is sent when a temporary password is generated. But ideally the password should never be emailed since SMTP is not encrypted.
- Lack of HTTPS Support - HTTPS is critical for security, even if your site doesn't accept credit cards. If the site asks for any data you would not like in someone else's hands make sure it supports HTTPS.
- The site tells you if your username is correct but password is not during login - An attacker can use this information to find valid usernames on the site.
How to tell if a site takes security seriously was first published on April 27, 2010.
If you like reading about security, or authentication then you might also like:
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).