#31576
httplib2: HTTP Persistence and Authentication
In this latest Restful Web column, Joe Gregorio explains HTTP persistent connections, pipelining, and the sad state of HTTP authentication.
Gregorio, Joe. XML.com (2006). Articles>Web Design>XML>Security
#26333
Mask Your Web Server for Enhanced Security
Masking or anonymizing a Web server involves removing identifying details that intruders could use to detect your OS and Web server vendor and version.
Lima, Joe and Thomas Powell. evolt (2005). Articles>Web Design>Security
#26334
Password Encryption: Rationale and Java Example 
Most of the web sites today have some sort of a registration module where a user is asked to choose a username/password combination. This data gets stored in the database. You might wonder if the password you provide will be kept well-protected (read encrypted). In case you are the person designing such backend registration component, why not give your users peace of mind by encrypting their passwords?
Shvarts, James. evolt (2005). Articles>Web Design>Security
#26328
PHP Login System with Admin Features
I have written and am presenting here a complete Login System that can be easily integrated into any website.
evolt (2005). Articles>Web Design>Security
#11868
A big lie of computer security is that security improves as password complexity increases. In reality, users simply write down difficult passwords, leaving the system vulnerable. Security is better increased by designing for how people actually behave.
Nielsen, Jakob. Alertbox (2000). Articles>Web Design>Usability>Security
#32074
Security is the lifeblood of any web application and every online business. No matter how hard you work designing a great site, creating high-end content, building a lively traffic stream, and improving every aspect of your online business, it can easily be stolen away if you aren’t protected. Protecting your web presence seems like a daunting task, but there are simple solutions that any webmaster can do to increase security of their applications.
Robbins, Kyle. ReEncoded (2008). Articles>Web Design>Security
#32535
How They Hack Your Website: Overview of Common Techniques
We hear the same terms bandied about whenever a popular site gets hacked. You know… SQL Injection, cross site scripting, that kind of thing. But what do these things mean? Is hacking really as inaccessible as many of us imagine; a nefarious, impossibly technical twilight world forever beyond our ken? Not really.
Conroy, John. CMSwire (2008). Articles>Web Design>Security>SQL
#32704
Seven Habits for Writing Secure PHP Applications
Security in a PHP application includes remote and local security concerns. Discover the habits PHP developers should get into to implement Web applications that have both characteristics.
Good, Nathan A. IBM (2008). Articles>Web Design>Security>PHP
#32848
Captcha Usability Revisited: Google Inaccessible to Blind People
An online petition is being circulated to all Internet users for the purpose of collecting signatures showing support for Google to make its word verification scheme accessible to the blind and visually impaired.
Rønn-Jensen, Jesper. Just Add Water (2006). Articles>Web Design>Accessibility>Security
#33743
Enhanced Interoperability for Security of XML Web Services
Enterprises are adopting Web Services to ease application integration across heterogeneous environments within and across security domain boundaries. Security is an important element for the adoption of Web Services. The Organization for the Advancement of Structured Information Standards (OASIS) has recently ratified the Web Services Security standards (Web Services Security: SOAP Message Security 1.0 (WS-Security 2004 ), Web Services Security: UsernameToken Profile 1.0 , and Web Services Security: X.509 Certificate Token Profile ) to provide an extensible framework for providing message integrity, confidentiality, identity propagation, and authentication. The Web Services Interoperability Organization (WS-I) is profiling standards to provide guidelines for implementation and use of relevant standards to enhance interoperability. This paper describes the activities of the WS-I Basic Security Profile (BSP) Working Group (WG). This Working Group is chartered to improve interoperability of security technologies for Web Services by profiling the OASIS Web Service Security and HTTP Over TLS standards. This interoperability profile (known as the Basic Security Profile 1.0) is an extension of the WS-I Basic Profile . The WS-I Basic Profile addresses interoperability for implementations of core Web Services standards.
Austel, Paula, Michael McIntosh and Anthony Nadalin. IDEAlliance (2004). Articles>Web Design>XML>Security
#34147
My business and passion is accessibility and there is obviously a huge problem with these visual CAPTCHAs. If you used alt-text on this image, alt="e3TJ6Jdp", that would be fine and very welcome for blind visitors. It would also be welcome for any computer system seeking to sign up for lots of emails. Using alt-text on the image does not solve the problem! The visual image CAPTCHA is fundamentally inaccessible. For the example above, this means very simply that Yahoo excludes people who are blind (or vision impaired) from signing up for Yahoo email accounts.
Thatcher, Jim. JimThatcher.com (2009). Articles>Accessibility>Security>Web Design
#34148
Evaluating Existing Audio CAPTCHAs and an Interface Optimized for Non-Visual Use 
Audio CAPTCHAs were introduced as an accessible alternative for those unable to use the more common visual CAPTCHAs, but anecdotal accounts have suggested that they may be more difficult to solve. This paper demonstrates in a large study of more than 150 participants that existing audio CAPTCHAs are clearly more difficult and time-consuming to complete as compared to visual CAPTCHAs for both blind and sighted users. In order to address this concern, we developed and evaluated a new interface for solving CAPTCHAs optimized for non-visual use that can be added in-place to existing audio CAPTCHAs. In a subsequent study, the optimized interface increased the success rate of blind participants by 59% on audio CAPTCHAs, illustrating a broadly applicable principle of accessible design: the most usable audio interfaces are often not direct translations of existing visual interfaces.
Bigham, Jeffrey P. and Anna C. Cavender. University of Washington-Seattle (2008). Articles>Accessibility>Security>Web Design
#34187
A Large-Scale Study of Web Password Habits
We report the results of a large scale study of password use and password re-use habits. The study involved half a million users over a three month period. A client component on users’ machines recorded a variety of password strength, usage and frequency metrics. This allows us to measure or estimate such quantities as the average number of passwords and average number of accounts each user has, how many passwords she types per day, how often passwords are shared among sites, and how often they are forgotten. We get extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site. The data is the first large scale study of its kind, and yields numerous other insights into the role the passwords play in users’ online experience.
Florencio, Dinei and Cormac Herley. WWW 2007 (2007). Articles>Web Design>Security
#34891
Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.
Nielsen, Jakob. Alertbox (2009). Articles>Web Design>Security>Usability
#34892
ユーザがパスワードを打ち込んでも、黒い点の列でしかフィードバックが返ってこないとき、ユーザビリティは損なわれている。パスワードを隠したからといって、セキュリティは強化されないことが多く、逆に、ログインの失敗によって、あなたのビジネスに悪影響を及ぼす。
Nielsen, Jakob. Usability.gr.jp (2009). (Japanese) Articles>Web Design>Security>Usability
