Securing login pages

I meant to blog about this last week, but I was sick and never got around to it. There was a great conversation I was following about Should login pages be protected by SSL?

Lots of good points on both sides. I definitely favor secure login pages for financial, purchasing sites, etc. that's a no-brainer. I'm not sure about general purpose sites, though.

The case that bothers me is logging on over an insecure wi-fi hotspot. For me, I have several levels of passwords of increasing complexity and varying rotation schedules:

  1. simple disposable accounts when checking out a site, "qwerty"-style password for an account that I probably will never come back to
  2. sites where I'm not very concerned about the data (bloglines, my yahoo)
  3. message boards, email password
  4. bank, paypal, credit card sites
  5. webserver shell, database, etc.
  6. government work

So, if someone sniffs my msgboard password from an unsecured login page, it won't likely cause problems with my bank account. But I have the feeling that some people, like my parents, have a common password for most of their sites.

So, is it a disservice to leave a login page non-https for your users, even if you're not handling sensitive data? (aside from the password)

I've been debating whether or not to secure the login page for Gefilter Fish, so I checked out what the trend currently is with hip websites:
http://del.icio.us/login - doesn't appear to use ssl
http://www.flickr.com/login.gne - doesn't appear to use ssl
http://www.blogger.com/start - doesn't appear to use ssl
http://www.bloglines.com/login - doesn't appear to use ssl
http://www.furl.net/index.jsp - doesn't appear to use ssl
http://123.backpackit.com/login - doesn't appear to use ssl
http://360.yahoo.com - MODE: Standard | Secure option

Hmm, not many sites seem to bother securing a login page anymore. Am I missing something? Is there a better, Web 2.0 method of accomplishing this nowadays that I don't know about? Or have people come to the conclusion that it doesn't really matter for non-critical websites?

Posted on Thu, 30 Jun 2005 15:15 by Seni Sangrujee (2188 day(s) old)

June 2005
Sun Mon Tue Wed Thu Fri Sat 
<  May | Jun |  Jul  >


Subscribe with Bloglines

Email: wombat