Hacker News new | past | comments | ask | show | jobs | submit login

If a site is indifferent, incompetent, or stupid about password security, you should assume they are the same with credit card security until proven otherwise.



This is an incredibly dangerous assumption. It implies they're doing credit card security right just because they put a crypt() call in their code.

Always assume they're doing it wrong, because usually they are.


I'm not suggesting that implication. The implication is that when you know someplace seriously botched security in one area, you should assume all their security is suspect.

The default most of us have to use is to assume when we use websites is that they are doing things right, so seeing no problem in one area (login passwords) doesn't change anything about our confidence in the rest of the site (credit cards). It stays at default.


Actually, you really can't. A very good & common security process is to keep your payment system separate from the rest of the site.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: