Security on the Web 2.0

Sites are popping up so quickly, they forget to be secure.
Friday, January 06, 2006

This whole “Web 2.0” thing has got a bunch of people throwing up a bunch of sites really fast. Some of the sites are really good and useful and cool; while others are bad and useless and ugly. What strikes me about most of these sites is that in their haste to pop up on the web-o-sphere, they have forgotten some basic principles of web applications, of which the most notable to me is password security. Upon registration, almost all of these sites send you a confirmation email that includes your password in plain text. Yes, I am a bit paranoid, but think about it: most people use the same password for every site on the web. So even though your site might just be storing a list of RSS feeds that a person reads, you may have just emailed out the person’s password to their online bank account. I can only imagine that these sites are not storing the passwords encrypted in their databases. Makes you wonder what else they aren’t storing encrypted, or what they are doing with your email address.

Let’s get back to the basics, before we jump off the deep end again, ok?