Bad implementations of a feature do not make the feature bad as well. If you as a site owner allow for example a password reset based on just answering the secret question, guess what: bad implementation. If you don't inform the users what the secret question can be used for, guess what: bad implementation. If your users choose to use a question that has an answer that can be found easy its the same as having a user use for password the word 'password'. I can go on and on about how you can get something like this wrong.
Lets say that my computer gets keyloged and the attacker gets the account/password of site X and my email info aswell. Now the attacker wants to take over both of the accounts. Lets see how things will go if no secret question is involved: At best site X for a password change will require a e-mail confirmation, probably by just providing the old password the attacker will be able to change it. On top of that the site that hosts my e-mail can't be linked to something else, because of that i guess by simply providing my old password the attacker will get over my e-mail too.
HOWEVER if the sites require a secret question/answer verification the attacker wont be able to take over my accounts. And i am able to change both the password and get full control of the accounts.
Secret question/answer feature should be treated as a MASTER password. You have your casual password which allows you to identify yourself to the system etc but if you want to change some critical information of the account you will have to provide you master password.
If both the site and the user make good use of the feature there is nothing wrong with it.
I can't figure out based on what grounds the judge granted access on the IP logs. Also, what sony could do with the ip addresses?. Nothing, they are just trying to force people away from any websites with such information. The user base of the PS3 are underage teens, vulnerable to such scare tactics ....
I was expecting to see a list of registars based on how many domains they handle, but thats not the case. On top of that you dont point either based on what criteria you sort these registars as the top ones. Like brianwillis points, its just a low quality article with biased sorting (i guess its not random that the first registar on your list has an affilate link huh ?)
I agree. I should have set down a criteria for ranking the domain name registrars. And as far as the affiliate link is concerned, it is there becuase it pays well.
However, I will be careful of the content quality henceforth. Thanks for your frank feedback! :)
I don't have a problem when an uses there affiliate link, it is more than welcome for the author to be rewarded.I think it would be better if you informed the users when you use affiliate links, it would definately boost there credibility of your articles.
Hi! Following your appraisal of the post. I have gone on to edit the complete article and made it news-worthy. Please do go through it and let me know.
Its really simple , AS LONG AS the user uses a weak password, using bcrypt or not wont protect him.
Why ? Well instead of brute forcing the hashed password i'll directly try to bruteforce using the normal login method of your site (even if you rate limit my login attempts it wont take that much time...(see proxys)(if you are thinking about rate limiting per username etc you suck).
If you need yours users account to be safe just force them to use a strong enough password
I think rate limiting per user is perfect. And if the real person wants to log in while someone else used up their attempts, do a quick email confirmation.
"do a quick email confirmation". And what happens if one or more of your users gets targeted for a long period of time ? You will force them to open there inbox every time they want to log in your site ? And this gets even better if they target your site generaly, it will be a lot of fun for the majority of your userbase to have to do that "open inbox" step, bet users will love it :)
Sorry mate but your method sounds easily exploitable ... heck using reCaptcha would be less punishing for the user than your approach.
In some period of time a user is only able to do some amount of login attempts, after that he has to wait until he can try again to login. You can do that per IP or per username, doing it per username its not good because someone can abuse that to block the genuine user to log in. Doing it per ip is the best option you have and i didn't say that its not good, what i said is that if the user uses a weak password even if you put a rate limit they will be able to find the password soon enough.
It looks pretty neat , however i can't really see any usage on it ,its way faster to use a program with a gui where you can draw those diagrams instead of witting ascii ...
Could anyone suggest a good usage of this program ?
1)i don't like the fact that you use a plain text instead of a AWESOME logo for your own brand ...
2)you are probably using (i bet you are) a stock theme, from somebody that supposed to sell me a unique logo i expect him to be capable to design a nice site ...
3)I liked 3 of the logos (candice jane cakes , bad news bakers , twarket) the rest didn't looked amateurish
Lets say that my computer gets keyloged and the attacker gets the account/password of site X and my email info aswell. Now the attacker wants to take over both of the accounts. Lets see how things will go if no secret question is involved: At best site X for a password change will require a e-mail confirmation, probably by just providing the old password the attacker will be able to change it. On top of that the site that hosts my e-mail can't be linked to something else, because of that i guess by simply providing my old password the attacker will get over my e-mail too.
HOWEVER if the sites require a secret question/answer verification the attacker wont be able to take over my accounts. And i am able to change both the password and get full control of the accounts.
Secret question/answer feature should be treated as a MASTER password. You have your casual password which allows you to identify yourself to the system etc but if you want to change some critical information of the account you will have to provide you master password.
If both the site and the user make good use of the feature there is nothing wrong with it.