20080629

Drive By Password Changing

Just glancing at some sites that I use day to day, I've found yet another that not only doesn't require the old password to change the password, but also has no other evident controls to prevent XSRF. And this one is a pretty big one, too. I notified them, but I'm sure I'll get a canned help desk response "to change your password, click on the Change Password link and enter your new password twice".

While I don't totally disagree with Billy Hoffman's paranoia of all things Web 2.0, you would think that the more Web 2.0 sites would actually be more concerned about security. Password issues aren't specific to Web 2.0, nor is XSRF. But you would think the people working on implementing new methods would have already figured out how to do the old methods right.

0 comments: