Posts Tagged ‘security’

autocomplete=”off”

Something I haven’t thought about much, but very important: for sensitive information, turn off autocomplete on input tags.

<input type="text" name="super-secret-pin-num" autocomplete="off" />

It’s a non-standard attribute, but all the major browsers implement it (including Webkit/Safari).

h/t Pete Freitag

Network security and filthy lies told by Windows XP

Note: Everything below relates to Windows XP Professional with Simple File Sharing turned off.

One of the simple things that can be done to prevent unwanted peer-to-peer network access to data on Windows is to disable the Guest account (you can alternatively give permissions to specific users or groups, but for my situation this is a hassle as I, generally, don’t need the level of granularity). By some mechanism unknown to me (perhaps malware or a recent virus), the guest account on my desktop was turned on. With the guest account on and shared folders allowing everyone access, any machine connected to the network was able to seamlessly login and access anything in the shared folders. The situation bugged me for quite a while as I didn’t realize the active guest account was the culprit because from looking at the User Accounts extension in Control Panel, I saw the following:

win xp guest account off

Unfortunately, this does not mean the account is actually disabled, it simply means it doesn’t appear on XP’s welcome screen. I finally took at look at the Administrative Tools >> Computer Management extension, then navigated to Local Users and Groups >> Users, and saw that the guest account was enabled. Disabling it here (right-click on Guest >> Properties >> check the “Account is disabled” checkbox), actually disabled the account and prevented automatic authentication as Guest for incoming peer-to-peer connections.

win xp users

As you can probably guess my real annoyance here is the discrepancy between what appears in the User Account extension vs. the actual state of the account.