WebApp Sec mailing list archives
Re: Why doesn't Amazon enforce a password policy?
From: "Jeff Robertson" <jeff.robertson () gmail com>
Date: Fri, 27 Oct 2006 11:42:15 -0400
Well then I take back what I said.. I must be mixing them up with a different site. In that case, I figure that unless PCI or something forces them to strengthen the authentication, they're just going to do whatever is cheaper for themselves (Amazon). On 10/27/06, James Strassburg <JStrassburg () directs com> wrote:
They do store credit card numbers (foundation of the whole 1-click ordering thing). Additionally, they don't even give you the option of not storing it when you place an order. You have to go back and delete it later. JiM Strassburg -----Original Message----- From: Jeff Robertson [mailto:jeff.robertson () gmail com] Sent: Friday, October 27, 2006 7:42 AM To: James Strassburg Cc: webappsec () securityfocus com Subject: Re: Why doesn't Amazon enforce a password policy? Admittedly it's been a long time since I bought something on there, but don't you have to enter the credit number ever time, regardless of having logged in and used it before? (Correct me if I'm wrong, as I very likely could be..) So there's really nothing in your Amazon user profile worth protecting beyond the most basic efforts. Does this also apply to your company? On 10/24/06, James Strassburg <JStrassburg () directs com> wrote: > There is a small war going on where I work. I am trying to get a > password policy enforced for our web applications and certain business > leaders are opposing it. There are two areas of opposition: > > 1. Minimum password length of 6 (currently 4, 6 was going to be a > compromise). > 2. Expiration of passwords (currently none). > > Strength requirements on the password content seems to be ok with them. > > These leaders compare our business with Amazon (a bit of a reach but > we go with it for argument's sake) and their main argument for not > enforcing a minimum password length and password expiration is that > Amazon doesn't do it. > > How should I go about convincing them that Amazon.com is wrong and the > fact that they haven't had a severe account breach is no reason not to > implement a policy ourselves? Or, to play devil's advocate with > myself, if I'm wrong, why doesn't Amazon enforce a password policy? > > On a side note, the development work for implementing the policy is > already done. It was done as part of a separate project and just not > turned on until this argument could be resolved so there will be > almost no development cost associated with implementing the policy. > > Thanks for your feedback. > > James Strassburg > > > ---------------------------------------------------------------------- > --- > Sponsored by: Watchfire > > Hackers continue to add billions to the cost of doing business online > despite security executives' efforts to prevent malicious attacks. > This whitepaper identifies the most common methods of attacks that we > have seen, and outlines a guideline for developing secure web applications. > Download our The Twelve Most Common Application-level Hack Attacks > whitepaper today! > > https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Y > Ti > ---------------------------------------------------------------------- > ---- > >
------------------------------------------------------------------------- Sponsored by: WatchfireAppScan delivers new remediation capabilities, key regulatory compliance reporting, and productivity enhancements that dramatically improve, automate and streamline users' ability to quickly find, remediate and manage web application security vulnerabilities. Change the way you think about application security testing - download AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE --------------------------------------------------------------------------
Current thread:
- Why doesn't Amazon enforce a password policy? James Strassburg (Oct 27)
- Re: Why doesn't Amazon enforce a password policy? Peter Conrad (Oct 30)
- Re: Why doesn't Amazon enforce a password policy? Tom Whiting (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jamie Riden (Nov 01)
- <Possible follow-ups>
- RE: Why doesn't Amazon enforce a password policy? James Strassburg (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Brooks, Shane (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Jason Gregson (Nov 01)