I've had to respond to this topic a number of times now, so I figured I would just write it up here for future reference. If you are using Active Directory, and you administratively change a principle's password, sometimes you find that the old password still works (at least for a little while). Most often, you'll see this if you are using PrincipleContext or a Membership Provider that uses A.D. under the covers, because when you call their methods to change password, they do an administrative password change using LDAP. This is actual an old feature of NTLM authentication. The concept being...

I should have probably blogged about this earlier, but this has been a really busy week for me on my project. Shortly after my latest post on passwords, I had several talks with associates. Quite a few of them were ribbing about how I'm too security conscious. As if there is such a thing as too much security. Then, right on que as if to prove my point, Sarah Palin's email account got "hacked". I say that in the loosest, pop-culture sense of the word, because it really isn't a hack. A hack is someone disassembling a backbone router's operating code...

There are two reasons I’m writing this post. First, I’ve noticed a slew of articles and blog entries lately about the topic. Now, that’s good from the perspective that it’s an indication of people taking the topic seriously, and also helps to get the word out. Second, I’ve noticed that the authors often have incomplete and/or somewhat inaccurate information, which I’m sure they got from reading someone else’s incomplete and/or inaccurate material. That doesn’t necessarily make it bad, but they write the material with an authoritative tone – because, you know, blog authors are all leading experts in their fields,...