Ingediend door gatewaygirl (niet gecontroleerd) op 21 November 2008 - 4:04am.
This is a suggestion on policy & procedure, not on the actual TOS, but I have twice recently had a site (one a fannish archive, one a high school) send me my new password in clear text in email, with no warning that they would do such a thing. Please be more secure than this! Minimally, you should warn at password creation if you will ever send the password as text, but better yet, don't do that.
What I consider "standard security" behavior is this:
When you create an account, you are sent email with your username and links to relevant data, possibly including your account page, the "if you forget your password" procedure, and self-help resources.
If you forget your password, an admin changes it to a temporary password, and then emails the temporary password to you. (Note that this still protects your password if you use it for more than one site.) You log on and change the temporary password to something you think you can remember.
I've worked in computers since 1988, the majority of it in support for network software, including monitoring software that grabbed network traffic for analysis and display. Given that package, I could easily filter on SMTP (mail) data containing the string "password", and get this sort of message from, say, unsecured wireless networks within range of my laptop. I could also automate that to run and store data while I'm not at the computer. That was state of the art fifteen years ago or more. (Though my example does assume a modern network card.)
*takes off geek hat*
Great job! This shows a stunning amount of planning. I especially like the "fannish next-of kin" idea, and the provisions for other archives using the site for backup. :-)
That reminds me -- a few years ago, I instructed my husband as to whom he was to send all my unfinished stories if I died. I should probably remind him of that, or write it down in my planner.....
Suggestion for password policy
This is a suggestion on policy & procedure, not on the actual TOS, but I have twice recently had a site (one a fannish archive, one a high school) send me my new password in clear text in email, with no warning that they would do such a thing. Please be more secure than this! Minimally, you should warn at password creation if you will ever send the password as text, but better yet, don't do that.
What I consider "standard security" behavior is this:
I've worked in computers since 1988, the majority of it in support for network software, including monitoring software that grabbed network traffic for analysis and display. Given that package, I could easily filter on SMTP (mail) data containing the string "password", and get this sort of message from, say, unsecured wireless networks within range of my laptop. I could also automate that to run and store data while I'm not at the computer. That was state of the art fifteen years ago or more. (Though my example does assume a modern network card.)
*takes off geek hat*
Great job! This shows a stunning amount of planning. I especially like the "fannish next-of kin" idea, and the provisions for other archives using the site for backup. :-)
That reminds me -- a few years ago, I instructed my husband as to whom he was to send all my unfinished stories if I died. I should probably remind him of that, or write it down in my planner.....