May 31st, 2005


passwords and security

Wikipedia is currently under a little fire for leaking information about users' passwords.

I'm not going to get into details on whether they should have released the info or not. I am going to say, however, that they shouldn't have had that information available to begin with. It's simple to build an authentication system for a website where not only are you unable to retrieve anyone's password, but you're not able to tell who has the same password. And this should have been one of those systems.

Yes, this means any website that has a "retrieve your password" feature is badly designed. The proper feature to have is a "reset your password" feature. If they *can* retrieve your password, they're not guarding it appropriately.

Just FYI.