Sorry, forgot "security 101". The _only_ secure site is zymmetrical.

Glad to know that at least 1 site is full secure...

Speaking of security, do you guys change your passwords regularly?

I try to do so but maybe not as frequently as I should...

And Keith (from Zimm.) There's seems to be a glitch with your system when I try to change my PW.  In Account|Profile, I change Pw and then Update but I still have to use my old pw...  What am I missing?

Claude

? The FTP password is different than the registered member password (which is different than how most sites are set up). We explicitly did this for the tradeoff that most people won't want to FTP in SSL mode; it's slow. So, we allow non-secure connections with FTP, and in the extreme event that someones FTP password was compromised, the worst thing a bad guy could do is FTP us images of their aunt Matilda. 

As for the question for le_cyclope about password updates, good catch - must have been a recent bug, i've disabled that for now. Will have it fixed shortly.

Heh well like I tried to say.. no one should ever say "We're 100% secure". It's just not going to happen.  The more we can put the trust into code and automatic methods, however, the more business value is gained.

Password changing:  The problem is resolved, if you go to https://www.zymmetrical.com/account/profile/ you can change at will. How's that for Sunday Service.

One more remark, I think it's safe to send me an email telling me that my pw has been changed, but not so secure to write my new pw in clear in the message.

But I don't expect any more changes in your system before monday!

Claude

Sure, I can login secure... but I cannot upload.  Timeout errors.  Fatal something errors... darn, I closed that window.  All kinds of code popped up on my screen though..   Guess I'll try another day.

Well this is a business decision, the same as the 'Forgot Password' function.     Is it more secure to not have such features? Yes, but possibly at the expense of convenience.

I am personally much more concerned about scenarios like Cphoto described: a member uses the same password on every site on the internet, and it only takes one unscrupulous one to go fishing with members passwords and see if they can do some funny business with their accounts elsewhere. Like Hal 9000, it's usually humans who mess up.     

But, if you enforce a generated password on users, especially a complex one, chances are that they won't remember it and will either bog down your staff answering "what's my password" questions and/or driving away people from using your site because they can never remember the password- it's much easier for them to participate where they remember the password because it is the same as everywhere else.

Layered defense is best.

One more remark, I think it's safe to send me an email telling me that my pw has been changed, but not so secure to write my new pw in clear in the message.

But I don't expect any more changes in your system before monday!

Claude

Looks like Cutcasters joined the secure website club

Nope

I did comment on other thread -  basically, look at Zym, only they did it the right way

On that note, if they can send you your password in clear that means their password DB is not encrypted, and they store the password unencrypted in their DB

I don't believe that you can make that assumption - databases can be encrypted regardless of the security on the page.