Instagram stored your password in plain text…

 Nice: Looks like Instagram is trying to compete with Linkedin in terms of password in-security: Instagram accidentally exposed some user passwords through its data download tool – The Verge … :

According to Instagram, some users who used that feature had their passwords included in a URL in their web browser, and that the passwords were stored on Facebook’s servers, Instagram’s parent company. A security researcher told The Information that this would only be possible if Instagram stores its passwords in plain text, which could be a larger and concerning security issue for the company. An Instagram spokesperson disputed this, saying that the company hashes and salts its stored passwords.

Wechselwahn – why it does not make sense to enforce recurrent password changes.

In this article for Heise I’X (in German) I present statistical and empirical evidence why it usually is a bad idea to force your users to change their password regularly. In fact, you’ll maybe push users to use patterns for their passwords that are cracked much easier than their password. What is a good password, and why you should only change it when you have reason for doubt. “You will need good reason to push your users into regularly changing their passwords – and only in few cases or insecure environments this may make sense at all…”

Factsheets and calculations about the right password length.