Sunday, June 6, 2010

SurveyMonkey has crummy logon security

FYI, SurveyMonkey is a great site, but they have really crappy security. They actually store your password in the clear, or in reversibly-encrypted format. If you request your forgotten login and/or password, they actually helpfully email you both your login _and_ your cleartext password. What year is it again? That is the kind of kindergarten mistake that there is no excuse for making. How to securely handle logons to systems and applications is fairly standardized and there are lots of simple options for supporting secure one-way hashes that are immune to a variety of attacks. No excuse for security this bad...

Fortunately, they allow you now to sign in with your Google login so that might be a better option -- get them out of the authentication business that it appears they have no business being in.

No comments:

Post a Comment