I had created an account a while ago and never used it. Today I'm trying to migrate my subscriptions from Bloglines to Newsgator and I went there and requested my password, since I've forgot.
Heck, they sent me a clear text password and username!
This tell me that they are either storing the password in clear text on their database or using some encryption (I just hope they didn't implement their own encryption algorithm). Either way, it is retrievable by me, and, by consequence, by anyone on Newsgator (including the employee that disgruntled employee).
IMHO, if you are creating an online service that needs authentication, here are my rules for successfully managing accounts:
Never, ever store passwords of your users. Only store the hashes (MD5 or SHA) and remember to use a Salt for each password.
Let users use their email account as their username. It is very annoying to have to create a username every place I sign up to. I forget those very easily, but I never forget my email (see Google Accounts or Microsoft Passport)
When users loose their password, just send them a link for them to reset it (remember to add a date expiration to that link).
Always, always, use Word Verification (CAPTCHA), when a user is trying to recover a password, or after he fails 2 or 3 times to enter his password. These helps reduce the risk of somebody doing a bot-attack against your service.
And this is easy: Use SSL (HTTPS) whenever a user post his password to your site.
From the above, your user's database should have at least the following data:
Email 1
Email 2
Email 1 Confirmed
Email 2 Confirmed
Salt
Password Hash
Now, I'm no security expert and you should consult your favorite security engineer, but, please, never send my password in clear text. If you took the trouble of setting up a certificate for the HTTPS communication, why do you think that Email is a more secure protocol?
Subscribe to this Site
. 
Comments for "Security Check: Why smart co...
October, 2007