Each year I receive angry or confused messages from a person who found email@example.com as the recovery email address in their Google account. This post is intended to explain why. Continue reading
As a follow-up to my last post, here are a few tips to help keep you from driving your site users away with misguided password restrictions.
#1: Consider Context
Your tweets may be precious to you, but as a web developer, you should understand the differences between password security for Twitter and for online banking. Consider the monetary and legal damages that to both you and your customers if their account were compromised and plan accordingly.
Most programmers take a pragmatic approach to security and scale their efforts based on an estimate of the sensitivity of the data they are storing.
The unfortunate truth is that password security is frequently underestimated, making it easy for credentials to be sniffed or stolen. Users often keep a very small collection of passwords, with many people memorizing a small collection and using them on almost every site and service they use. A password compromise on one site can lead to a compromise on many.
My Tivo just shut down while I was watching late-night election coverage. When the machine came back online several minutes later, I was prompted with a notice about the update I’d just received. As it turns out, my Series 2 Tivo now supports WPA security (with Tivo Wireless Network Adapter).
For the sake of those who downgraded their network security due to lack of WPA support on a few lagging devices such as Tivo, I’m very glad they have rolled out this update. After begging Tivo to release this feature, I chose to buy an overpriced wireless access point and hook the Tivo up to that.
Thank you, Tivo, for coming out to support your users’ security, even if it is several years late.