Geek(Wisdom).com

I currently make how-to videos on computer related topics. Check out my videos at either
Youtube or Revver

You are probably reading this post because you are an Outlook or Outlook Express user and you tried to reply to a digitally signed e-mail from me. The result was a warning/error notice stating, "You cannot send digitally signed messages because you do not have a digital ID for this account." or some such thing. You are receiving this notice because Microsoft made a mistake in the default configuration settings when it packaged Outlook and Outlook Express for distribution.

I've been thinking about all the Internet sites that I've created an accounts on for one reason or another. It has to be in the hundreds. Of those sites I wonder how many of them would let me delete my account completely. Very few I bet. Probably the most universal method of deleting my account--at a site I no longer want to have a relationship with and does not offer a "delete me" mechanism--is to poison the account with bogus information. I could change all the information about me to false information and, if allowed, change my e-mail address to something bogus as well. I guess I'd have to read the terms of use policies but isn't this my account?

When was the last time you changed your e-mail password? If you're like most people, you probably can't remember. That means it's been too long. How about some external motivation? Consider the number of Internet processes that assume you have control of your e-mail account:

• e-commerce applications
• Web site membership enrollment processes
• domain registration and management
• hosting providers

What would happen if a bad guy figured out your e-mail password? He could change your password. But why would he do that when he could use your account at the same time as you. He could request a password change from any Web site that uses e-mail confirmations. Perhaps one of the worst things that could happen to you is to lose your domain name. Imagine if the bad guy transferred your domain name to another registrar into an account that he controlled. How much damage would that cause?

Web browsers have become the de facto client interface to Internet based applications. As we travel around the Internet, whether for pleasure or business, we find ourselves creating personal profiles for various Web sites. These profiles usually include access credentials (usernames and passwords). Good password management practice calls for many distinct passwords. But this proliferation of passwords results in the need for strong password storage. In addition to password management we need to give some thought to encrypted communications. We typically just install a browser and start surfing without any thought for the decisions other people have made for us about who we should trust or how we should communicate. The default settings for SSL/TLS are a good example of this.

How do you insure your users passwords meet required standards?
For a front end HTML solution to strong password checking see Steve's Javascript example.
On the Java server side or from the command line take a look at PasswordCheck. This code extends Steve's script onto the server side allowing pre-defined rules to determine pass or fail strength checking before the user's password is stored to the database, LDAP or other directory server. Open source licensed.

Think about it for a second. What would you loose if someone stole your laptop (or desktop) computer? What kind of damage could be done to you with the information retrieved from your laptop? The theft of a computer brings with it all the problems associated with a failed hard drive plus the added risks of the data on the drive being out of your control and potentially used by an unauthorized person for things that are likely to impact you negatively.