Most articles on web security talk about all the measures you should take in coming up with clever passwords and changing them frequently. Little is mentioned about how it is important for the website providers to maintain security. In fact, many websites to not properly protect your information.
Rule #1: Don't keep (or display or email) the users' passwords in clear text (unencrypted).
If a website has your password stored in its database, you can kiss it goodbye if it is ever hacked. You also probably use the same password on other sites (let's not be naive), so those sites are at risk too. Additionally, if a website emails your password to you (on first registration or if you forget it), it could easily be viewed or intercepted. And if you are like most people, you probably keep that email (so you don't forget the password) which also puts you at risk your email gets hacked.
The best way to protect yourself is to use a "dummy" password when first registering for a site. After registering, click the "forgot password" link and see if they end up sending you your password by email. If they do, DO NOT GIVE THE SITE A SECURE PASSWORD. Consider not using the site, complaining to the developers, or using a password you don't care if it gets hacked.
In general, sites that are run by large companies or contain sensitive material don't fail to follow rule #1. I've found, however, that quite a few less reputable sites fail this simple security test.
Here are some sites that fail Rule#1 that you may recognize: del.icio.us, Evite, Friendster, Hilton Honors
BrianM
MikeB
Posts
No comments:
Post a Comment