Home About UsOur mission, Our name, Contacting us Events & Topics Articles Business General Technical Surveys FAQ

Web Security

by Ed Sawicki
Accelerated Learning Center
Tailored Computers

May 18, 2006

This is an image taken from a real Web site to which I have an account and am expected to use. Instructions to the staff say that you must change your password when you first connect to the site.

In case you're not up to speed on security, there are a few severe problems with this system:

1. Passwords must be all numbers. Letters are not allowed. To be most effective, passwords are supposed to be combinations of upper case letters, lower case letters, numbers, and special symbols.
2. The password must be exactly 6 characters in length. Knowing the password length, an attacker can break the password in far less time.
3. The password is sent from the Web browser to the Web server over an unencrypted link. This is a foolish mistake. The Security Warning dialog tells you that the password can be read by a third party.

It's possible that problems 1 and 2 exist because the Web server authenticates users against a database of 6-digit PIN-like numbers or a legacy system that wasn't exposed to the public. As far as I know, this is not the case with this system. These problems probably exist because of a defective programmer.

The third problem may have a plausible (though still unacceptable) explanation. The programmer may have asked the organization to purchase a certificate but management denied the expenditure when they found out how much one world cost. So, he or she believed that providing an encrypted link was not possible.

Of course, it is possible by running a private Certificate Authority for the organization and using self-signed keys. Users would have to be instructed to add the organization's CA to their Web browsers but this can usually be accomplished by having them click a link on a Web page.

This organization's system stores personal information about it's customers - members of the general public. Maybe it's time for a law that requires all organizations that store data about others to have their systems audited by security specialists.

Back