On Fri, Jan 9, 2009 at 3:38 PM, Sriram Panyam wrote:
> you know all said and done how the hell do you technically safe guard
> against "Happiness" as a password?
The problem is not so much that (it's bad, arguably, and even you
could force some complexity or length (personally I recommend
long-s
you know all said and done how the hell do you technically safe guard
against "Happiness" as a password?
but yes a dictionary attack is something they could have prevented with
rate-limiting!
On Fri, Jan 9, 2009 at 2:46 PM, Shaon Diwakar wrote:
>
> Implementing OAuth can get tricky when retrofi
Implementing OAuth can get tricky when retrofitting, especially since
a lot of sites such as Twitter may have unique/custom user
authentication models, but it's definitely a step forward.
For everyone working on a web app, please consider the following Top
Ten common threats [1] along with
OAuth isn't the solution for everything, but it at least eliminates the
stupid practice that's creating a culture of risk (due to acceptance), that
requires consumers to hand over their password between unreleated entities.
API's are at the core of not just the mashup culture on the web, but of
fu
Forget about oAuth - none of this problem gets fixed until we get some
decently coded applications!
More to my point: http://news.zdnet.co.uk/security/0,100189,39588628,00.htm
Twitter hackers - a brute force attack. Twitter has no limit on login
attempts, no challenge-response and no Captcha.
@silky - totally agree, Twitter need to adopt a password anti-
pattern: http://adactio.com/journal/1357/
FriendFeed does it really well - they have a 'remote key' which third-
party applications use - and not your actual username and passwords.
Its been well thought out...
I'm really amazed at
Mashable had several post about this.
http://mashable.com/2009/01/03/warning-twitter-phishing-attack-underway/
"You can follow updates on the attack by subscribing to the Twitter
topic #phishingalert"
http://search.twitter.com/search?q=%23phishingalert
Rex
--
Sydney: +61 421 591 943
HK: +85
An excellent point that some of us at work were discussing a few weeks
ago, there are SO many dodgy looking sites asking for twitter
credentials to do who knows what with it's scary!! It's like phishing
attacks without even pretending to look like something else :)
Will definitely aim to talk abo
Thanks David and Michael - I've incorporated those posts into the blog post
that will be published tomorrow morning.
On Mon, Jan 5, 2009 at 8:53 AM, silky wrote:
>
> Yeah, this is why I don't use those services.
>
> oAuth is an option, but even twitter doing something trivial
> themselves would
Yeah, this is why I don't use those services.
oAuth is an option, but even twitter doing something trivial
themselves would be nice, like I proposed here a while back:
http://lets.coozi.com.au/content/token-based_authentication_for_api_access.html
On Sun, Jan 4, 2009 at 5:06 PM, Elias Bizanne
Here is an example of why what Elias is proposing is important. The twitter
signin has 'groomed' ppl into poor privacy practices and so the bad guys
have moved in.
I've been waiting for phishing to start for a while and also you can expect
malware on the end of the tinyurl, tr.im, bit,ly urls becau
11 matches
Mail list logo
