string together the initial letters. For example, “I like to buy food for my dog
and to walk with it” would be Il2bffmda2wwi or even Il2bffmd&2wwi.
So, if you build a new Web product that needs authentication, and you
really need to build your own log-in system rather than use Google, Yahoo,
Facebook Connect or OpenID (which might be a good idea), please do not
allow users to use passwords like “password” or the not-much-safer
“password1.” Recently, a list of passwords banned by Twitter leaked onto
the Web, shown here as the full code. This is a good idea (the list, that is,
not the leak).
What To Do On Your Server
Even if you are not a server expert, that’s no excuse for running an insecure
server. Here are some things to make sure of.
Turn Off Folder Listing
As explained earlier, allowing people to navigate your folders (i.e. path
traversal) is a bad idea. Testing whether your server has path traversal
turned on is easy:
- Create a new folder on the server; for example, pathtest.
- Add some files to the folder. But do not add index.html, index.php,
default.aspx or whatever else your server uses as the default file name. - Check the folder in your browser; for example, by going to
http://example.com/pathtest/ - If you can see a listing, contact your server admin to turn that off!