Phil and Derek just returned from a two day security conference last week. In that spirit I post this entry...
It's ironic when a site attempts to enforce some security policy but then commits a password-no-no. I was on our Web.com (formerly Interland) control panel and cringed when they displayed, right before the eyes of anyone in my office, the new password I was trying to update in clear text as shown in this example:
Perhaps just as bad, that page is just plain old http -- no HTTPS. Good grief, two for one.
Here are some other password pet peeves I've seen recently which should make everyone cringe:
- Password reset pages or account setup notices send an email with your actual password -- in cleartext!
- Passwords stored on the server in cleartext.
- Password policies that are so strict (eg, must change every 30-90 days) users write their passwords on their monitors.
If you set up a new account on some website and you discover item #1, realize that your password is probably known by all administrators of that site. Hopefully they didn't log it in some file on their server in cleartext. Hopefully you did not use the same username and password on your other sites! If you did you should immediately change your password to something irrelevant and consider deleting your account. You probably don't want to do business with a site that employs those coding practices.