Shared publicly  - 
 
 
What Medieval Castles Can Teach You About Web Security
Ancient castles weren't just guarded by stone walls; they had multiple layers of defense. Here’s how to apply castle architecture to your own software design by securing your systems on multiple levels. by +Matt Heusser
We bandy about terms like “firewall” to represent the way we protect IT services and software applications, but the analogies have a very real origin and relevance to application design. Take the cast...
4
James O'Sullivan's profile photoJohn Hunter's profile photoMatt Heusser's profile photo
5 comments
 
Great post. A couple of things though. Password policies are great, but you make it to complex, force a change too often or have too many passwords and you open up another security hole, writing the password down. I prefer memorable passphrases which are easier to remember and harder to guess.

Also I agree that sanitizing input to prevent SQL injection and XSS is essential, but it needs to be done intelligently. One thing I've commonly seen over the years is to prevent input with apostrophies. This sounds sensible, but drives me crazy. Mainly because I have an apostrophy in my last name and there's no need for it provided you use SQL placeholders or ORMs such as the one you suggested.
 
You've got a good point there - make the password too complex and people will write it down on little slips of paper they hide under the keyboard! :-)

Good point. I'll pause to let you leave the (needed) comment in the article, or else add it myself in a day or two. (DARN it! Tim Western, one of my peer reviewers, mentioned it, and I failed to incorporate that in the article. Thank you.
 
No worries. I'll leave you to modify the article :)
 
What do you think of password minder programs that allow you to not write down complex password. Just have one complex password to open up the minder program (and one to get access to your computer with that on it). 1password, DataVault etc.
 
Short answer: if it's complex enough, I am fine with this for personal accounts. For business accounts, I would have concerns.
Add a comment...