In this blog post, the autor states:
GOOD it's a java applet that appears to run locally so your password is never sent over the internet
This is clearly NOT a Java applet if you take a cursory peek the HTML source! The password input button named 'pc001' has an event handler named 'onKeyUp' which calls a JavaScript method named EvalPwdStrength. This method is downloaded from here.
I notified SANS of the misinformation and requested a correction be published. I guess this is a good reminder that you can't believe everything you read on the internet; even from a popular site such as SANS (including my blog too!) :)
I agree with the SANS author's assertion that typing your passwords into a web page, no matter where it's hosted, is a bad idea. Just follow the guidelines and you'll have strong passwords.
If you have trouble remembering lots of strong passwords, try using a password manager program such as:
- >Password Minder by Keith Brown of Pluralsight
- >Password Safe by Bruce Schneier of Counterpane
cheers
jk
No comments:
Post a Comment