Saturday, January 31, 2009

Weak vs. Strong Password (On a sticky)

"Be sure to write down the insane password it generates for you (below), as a weak password would be far worse than a strong password jotted down on a sticky note next to your PC."
Is this the logic we use now when it comes to password management?

Thursday, January 29, 2009

Infocard Transaction (Becoming?) Possible on iPhone

I think this is a big step forward for identity federation on the iPhone, mainly because it's the merging of two subjects I find rather interesting. I'm not a big Objective-C developer, but reading MobileOrchard's post on protocol handlers within the iPhone SDK gave my brain a kick-start this morning.

Imagine this: As described in previous posts, you encounter a page with an infocard:// link as the login button. That kicks off an iPhone InfoCard selector application, which retrieves the WS-Mex data from the RP page and then interacts with the chosen IDP using WS-Trust to retrieve a token. The retrieved token would ideally then be POSTed to the RP within Safari, but apparently Safari won't deliver app-formed POST data yet. So the last piece of the puzzle would be to either URL-encode the token (yuck), or do some kind of artifact retrieval (equally bad if not worse).

Monday, January 26, 2009 Security Breach

Absolutely disgusting. A company's (lack of) security allows a data breach, and they cavalierly dismiss it as a price of doing business.

As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database.

Which should have actually said: "As is the case with many companies that maintain large databases of information, we failed to take the proper precautions to secure your information against unauthorized access and theft." It's even worse they they don't intend to email users about the breach. The solution they provided offers little comfort.

It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.

If the information has been accessed (and probably copied), how do they intend to detect/prevent the misuse of information? Maybe they should enter the DRM space if they've got the solution.