[Seaside] authentication for seaside
sebastian at flowingconcept.com
Wed Dec 29 15:52:21 UTC 2010
great, references Andrés
On Dec 29, 2010, at 12:50 PM, andres wrote:
> There are many views on this topic, and most of them are right to a certain extent. I particularly agree with the title of this post http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html and with some parts of the article itself. I've been doing some research recently regarding password storing, why it should be avoided if possible and what you should do if you have no alternativa; maybe these links are helpful to someone else:
> Tony Fleig escribió:
>> Regarding consolidation of account login security:
>> I think it depends on the purpose of the password and the account. If
>> the account exists only to separate one user's data from another's,
>> then one could argue the password is actually not needed at all; the
>> username is enough. If, in contrast, the purpose of the password is
>> for security, then the password is a critically important part of
>> preventing unauthorized access to the user's information.
>> Users have for years been using the word "password" and other
>> easy-to-guess words as their password and many of these users have
>> suffered the consequences. Entrusting the security of all your on-line
>> accounts to a single entity, be it Facebook, Twitter, or a national
>> government provides a single point of failure for the security of the
>> associated accounts. This is the same reason why using the same
>> password for multiple accounts is ill-advised.
>> Passwords are vulnerable not only to on-line hacking, but also to
>> theft or hacking from within the organization that maintains and
>> verifies the password. I believe the threat from inside the
>> password-holding organization is probably as great or greater than the
>> threat from outside given the greater level of access those inside the
>> organization have.
>> I have divided my on-line accounts into two groups: those whose
>> security is not important because they do not contain any personal
>> information, and those whose security is indeed important, such as
>> on-line bank accounts and any account containing personal information
>> that could lead to identity theft. I use one password for all the
>> insecure accounts, and a different password for each of the secure
>> accounts. That way if a password is revealed, only one account is
>> immediately compromised.
>> I understand keeping track of many passwords is inconvenient and just
>> automatically using one's Facebook login at another site is very
>> convenient. Convenience is also the reason why people use the word
>> "password" as their password. I, personally, would not use automatic
>> Facebook or Twitter login for any but my insecure accounts -- and
>> those are almost by definition, the accounts that are not very
>> important to me.
>> I have three friends whose on-line accounts were compromised and who
>> lost significant amounts of money and suffered months of continued
>> problems recovering from identity theft. These were not rich people.
>> This does happen.
>> I think there is still a place for per-site login and security,
>> inconvenient as it may be.
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
> seaside mailing list
> seaside at lists.squeakfoundation.org
More information about the seaside