Secure the ORCID registration form

Completed

Comments

5 comments

  • Anonymous
    In this era, this point is mandatory. In addition to hashing passwords, they have to be salted. Anything less than this way below best practices.
    0
    Comment actions Permalink
  • Anonymous
    I just clicked a bit around and ended up in a tomcat error message, giving the path of the database driver, downloaded it including the access information to the database... well, I did not test, if I could access the database using this information!
    0
    Comment actions Permalink
  • Anonymous
    I'm starting to get the impression that this site was put together by CS freshmen. it lacks basic security features, http://about.orcid.org/about/news/docs is lorem ipsum (and why is documentation under news?), sometimes an invalid jsessionid appears out of nowhere, publication types can be selected, but the fields don't change accordingly (like editor, conference etc., as you have in bibtex)... i could go on. using even a ready-made cms would give a better result than this site. they should really hire someone from researchgate to show them how it's done! :-( and just to prove my point, i will submit using a fake email adress.
    0
    Comment actions Permalink
  • Anonymous
    When I created my own ORCID ID there did not appear to be any check to verify that I really was the person whom I said I was. As far as I can see, I could create an ORCID ID for any existing real person and provide an email address which I had just newly set up for the purpose of registration. The real person whose identity I'd just spoofed would then have to disentangle their ID from the fake one that I'd created.
    0
    Comment actions Permalink
  • Ana Cardoso

    *[UPDATE - Nov 8, 2012]*
    To help provide more transparency on the security features of the Registry, we have created a new Knowledge Base article on the subject. You can find it here:

    http://support.orcid.org/knowledgebase/articles/136222

    We are also planning to create a working group to review and make additional recommendations regarding security. This group will be forming in the next several weeks, and we will be updating this idea with an invitation to consider joining this group.

    For more general information about our working groups, please see:

    http://support.orcid.org/knowledgebase/articles/135210-how-are-new-features-decided-#working-groups

    Thanks again for your input.

    Best,
    Laura
    The ORCID Team

    ---

    The entire registry is served from HTTPS servers. Our passwords have been hashed from the start. Thanks.

    0
    Comment actions Permalink

Please sign in to leave a comment.