Here's A Great Idea To Improve Internet Security

LinkedIn is just one of many companies to have its security flaws exposed recently. And there are probably many more incidents that have slipped under the radar. What are the consequences for these companies? They just seem to shrug and carry on.

When are all companies going to take security more seriously? I don't know, but it feels like they really don't give a damn about you and continue to repeat the mistakes of others.

Perhaps every company should follow this simple advice:

New rule: every website must disclose their password storage format on the signup page. Scared to disclose? It's too weak.

At least that way consumers would be able to make a more informed decision before trusting a company with their personal information. Even if, in the end, their password is qwerty12345. [Twitter]


Comments

    The practice this would do little to improve "internet security" or benefit customers - As you would expect customers to understand the levels of security that are provided. Nor does this actually improve any security "control" for the provider other to save maximise loss of reputation and brand- post breach.

    Conceptually this is more appropriate in the form of advisory and awareness towards customers, regarding use of passwords and staying secure.

      It's not about actually informing anyone. It's a simple test, if your storing your passwords correctly, then you'll have no issues in disclosing such fact, however if you aren't storing your passwords correctly, then you won't want anyone else to know that.

      The idea is that if you actually tell people how your doing it, then you're either doing it right, or if you are doing it wrong expect the wrath of the Internet to come down on you. If you don't tell people what yo're doing, then what are you hiding?

        Disclosing how you are storing passwords, would certainly open smaller sites (ones the cant afford a full time security dude) up to brute force because they just wont have the resources to constantly keep ahead of hackers. Add to this the fact you can be using the best encryption going around if you fail to pass and validate them properly hackers are just going to get them with an injection attack of some sort.

        Personally i think that you shouldn't put information on the internet that you don't want people to see.

    Take this idea (a good one imo) and extend it out to a simple (non-geek understandable) classification system for security.

    A scale of 1 to 5 where the best practice *of the day* is classified against it. Therefore if a site uses the old best it has a 5 on the scale, and if it doesn't change it it becomes a 4 or whatever.

    Something akin to how we have energy (or water usage) rating stars. They have an actual meaning that few know or care about except to know they want more of them.

    That will teach me to write something, half re-write it, then not check it before posting.

    I meant the scale reflects the best usage of the day and a site could have a 5 star rating but if the ratings systems change and the site itself doesn't change it's security then it would now be re-rated. A bit like happened with energy ratings here some years ago.
    If this were extended to be an w3c or other standard then browsers could be aware of the rating on sign up and provide warnings to users if there were no rating or the rating were low, and provide standardised warnings if the site were unrated or low rated.
    This of course would rely on sites being honest with how they are doing their security but if a top rated site got hacked and it came out that they had lied, then there would be hell to pay beyond the "shrug oh well this stuff happens" level we see right now.

    Since most users wouldn't know what to do with that information, I don't think it would have much effect. I think a better idea would be legislate some sort of basic security burden for all service providers that have over a certain amount of users. Or some basic industry standards with like an auditing/certification process.

    Unfortunately this will NEVER EVER work. Since the scale on which you try to formalise this type of thing is directly related to how useless the bureaucrats will make the resulting product.

Join the discussion!

Trending Stories Right Now