Security
14 Nov 2008
No, this isn't a write-up on Twitterank, the latest example of 15 seconds of hype-fueled hysteria that the Internets whipped into a minor frenzy before moving on to the next sensationalistic headline.
Writing the post on del.icio.us's password policy got me thinking about passwords and online security again.
Having a strong password policy such as "passwords must be longer than six characters and must contain a number or a symbol and a mix of uppercase and lowercase characters" is great in theory but let's take a moment to follow Joe User as he encounters such a policy and chooses his password:
How unsexy are Wordpress security updates? I have the horrible habit of doing everything else first before attempting one (which, of course, is absolutely the worst thing you can do, as the recent spam hack on the SWX blog demonstrated so well). I used to dread doing the updates mainly because I just knew something would break. At least that's how I used to feel.
When I last upgraded Wordpress, a little over a week ago to version 2.3.1, I made a slightly delayed New Year's resolution that I wouldn't hack the blog. Instead, I decided to do everything using plugins and widgets (which are plugins that display on your sidebar). And -- wonder of wonders -- I actually stuck to it! That being the case, upgrading is no longer a nightmare.
Writing about secure passwords in Buzzword got me thinking about the state of security and user trust in Flash (and Flex)-based Rich Internet Applications in general. After giving it some thought, I concluded that we have a little more work to do if users are to be expected to have the same sort of trust in Flash-based RIAs as they do for JavaScript and HTML-based applications and web sites.
The key security issue I see with Flash applications, especially those that deal with sensitive information, is that the user has no way of knowing whether or not the application is communicating their sensitive data over a secure connection.