<h1 align="center">Securit des comptes</h1>
  
<ul>
  <li><a href="#defs">Definitions of Terms</a></li>
  <li><a href="#allacc">All Accounts Must Be Protected </a></li>
  <li><a href="#importance">The Importance of Passwords</a> </li>
  <li><a href="#good">Good Passwords</a> 
    <ul>
      <li><a href="#choosing">Suggestions for Choosing a Good Password</a></li>
    </ul>
  </li>
  <li><a href="#bad">Bad Passwords</a></li>
  <li><a href="#length">Password Length</a></li>
  <li><a href="#multiple">A Password Should Not be Used for Multiple Accounts</a></li>
  <li><a href="#thirdp">Avoiding the Inadvertent Provision of Passwords to Third 
    Parties</a></li>
  <li><a href="#thirdp2">Requests for Your Password from Third Parties</a></li>
  <li><a href="#unreq">Un-requested Password Reminders</a></li>
  <li><a href="#frames">Accessing Restricted Areas of DMOZ from Framed Environments</a></li>
  <li><a href="#storing">Storing Your Password</a></li>
  <li><a href="#noshare">Accounts Should Not Be Shared </a></li>
  <li><a href="#shared">Accessing DMOZ from Shared Computers </a></li>
  <li><a href="#thirdp3">Course of Action in the Event that Editors Know or Suspect 
    a Third Party Has Access to Their Password</a></li>
  <li><a href="#seealso">See Also:</a></li>
</ul>
<p>DMOZ editors are privileged to have access to restricted information (Editor 
  Notes, the contents of the discussion fora, edit logs, etc.) and the ability 
  to modify the data contained within the Directory. In return, it is the responsibility 
  of the editor to take all reasonable precautions to ensure the security of their 
  account. The following document has been created to aid this process. </p>
  
<h2><a name="defs"></a>Definitions of Terms</h2>
  <ul>
    <li> <b>Account</b> - The privileges on DMOZ that are associated with a given 
      set of credentials.</li>
    <li><b>DMOZ</b> - The system located at <a href="http://dmoz.org:8080/">http://dmoz.org:8080/</a> 
      . </li>
    <li><b>Credentials</b> - An editor's username and the corresponding password, 
      or any combination thereof. </li>
    <li><b>Password</b> - The secret phrase which is required to be entered in 
      conjunction with the appropriate username to authenticate an editor to the 
      DMOZ system. </li>
    <li><b>Username</b> - Also known as the 'editor name', this is the unique 
      identifier used in conjunction with the appropriate password to authenticate 
      an editor to the DMOZ system. </li>
    <li><b>Web client</b> - The user agent being used to access DMOZ. Web broswers, 
      such as Netscape, are Web clients. </li>
    <li><b>Third party</b> - Any individual or group who are unauthorised to access 
      DMOZ and / or to access the account in question. They will usually operate 
      with malicious intent. </li>
    <li><b>Restricted area</b> - Any part of DMOZ that requires the user to correctly 
      authenticate themselves before being allowed access. </li>
  </ul>
  
<h2><a name="allacc"></a>All Accounts Must Be Protected </h2>
  
<p>No account, even one that solely provides extremely low-level access, should 
  be deemed insignificant, and thus exempt from the following suggestions. Any 
  avenue providing attackers elevated access to DMOZ must be protected. </p>
  
<h2><a name="importance"></a>The Importance of Passwords </h2>
  <p>In the context of DMOZ, editors' passwords are the only barrier preventing 
    unauthorised access to accounts. Therefore, it is vital that they are kept 
    private, and not disclosed -- either unintentionally or intentionally -- to 
    any third party. </p>
  <p>It is also vital that editors choose secure passwords to begin with. </p>
  
<h2><a name="good"></a>Good Passwords </h2>
  <p>Good passwords are passwords that are difficult to guess. The best passwords 
    are difficult to guess because they: </p>
  
<ul>
  <li>Have both uppercase and lowercase letters. </li>
  <li>Have digits and / or punctuation characters as well as letters. </li>
  <li>May include some control characters and / or spaces. </li>
  <li>Are easy to remember, so they don't have to be written down. Are seven or 
    eight characters long. </li>
  <li>Can be typed quickly, so somebody cannot determine what you type by watching 
    over editors' shoulders. </li>
</ul>
<p>It is suggested that editors change their passwords at least once every two 
  months. </p>
<h2><a name="choosing"></a>Suggestions for Choosing a Good Password </h2>
  <p>Take two short words and combine them with a special character or a number, 
    like <samp>dog8Store</samp> or <samp>poinT-me</samp>. Put together that an 
    acronym that's special to you, like <samp>Mimfgle!</samp> (Mozzie is my favourite 
    green lizard, ever!) or <samp>hrddi*B</samp> (Humans really do do it better). 
  </p>
  
<h2><a name="bad"></a>Bad Passwords </h2>
  <p>When picking passwords, avoid the following: </p>
  <ul>
    <li>Your name, spouse's name, or partner's name. </li>
    <li>Your pet's name or your child's name. </li>
    <li>Names of close friends or co-workers. </li>
    <li>Names of your favourite fantasy characters. </li>
    <li>Your boss's name. </li>
    <li>Anybody's name. </li>
    <li>The name of the operating system you're using. </li>
    <li>Information from your profile or personal homepage, if applicable. </li>
    <li>The hostname of your computer. </li>
    <li>Your phone number or your license plate number. </li>
    <li>Any part of your social security number. </li>
    <li>Anybody's birth date. </li>
    <li>Other information easily obtained about you (e.g. address, alma matter). 
    </li>
    <li>Words such as <samp>wizard</samp>, <samp>guru</samp>, <samp>gandalf</samp>, 
      and so on. </li>
    <li>Any username on the computer in any form (as is, capitalised, doubled, 
      etc.). </li>
    <li>A word in a dictionary (English or otherwise). </li>
    <li>Place names or any proper nouns. </li>
    <li>Simple patterns of letters on the keyboard, like <samp>qwerty</samp> or 
      <samp>uiop</samp>. </li>
    <li>Passwords that you've seen provided as 'good' examples. </li>
    <li>Any of the above spelled backwards. </li>
    <li>Any of the above followed or prepended by a single digit. </li>
  </ul>
  <p><b>If an editor's password fits the above definition of a 'bad password', 
    they are strongly encouraged to change it to a 'good password' immediately.</b> 
  </p>
  
<h2><a name="length"></a>Password Length </h2>
  <p>Only the first eight characters of editors' passwords are significant. That 
    is to say, the system regards the password <samp>coefficient</samp> as exactly 
    the same as <samp>coefficientofx</samp>. Editors should be aware of this fact 
    when choosing and entering their passwords. </p>
  
<h2><a name="multiple"></a>A Password Should Not be Used for Multiple Accounts</h2>
  <p> Editors should not use passwords for DMOZ that they use, or have used in 
    the past, for any other system. </p>
  
<h2><a name="thirdp"></a>Avoiding the Inadvertent Provision of Passwords to Third 
  Parties</h2>
  
<p> When editors attempt to access restricted areas of DMOZ, most Web clients 
  will prompt the editor for their credentials via a dialog box. It is important 
  that editors do not blindly enter their credentials when requested, as such 
  behaviour could result in a third party obtaining this information. Instead, 
  editors should read the information provided by the dialog box carefully. Many 
  clients will indicate the domain name of the system that is requesting authorisation. 
  If so, this line should read 'dmoz.org' or 'netscape.com'; variations of these 
  domain names may be operated by third parties, and thus should not be provided 
  with an editor's credentials. </p>
  <p>Some editor-produced tools require access to restricted areas of DMOZ. To 
    avoid the appearance of entering the ODP password into an insecure location, 
    editors should always log directly into the ODP before using these tools.</p>
  
<h2><a name="thirdp2"></a>Requests for Your Password from Third Parties </h2>
  <p>There is never any legitimate reason for anybody to request editors' passwords 
    be sent to them, or request that an editor's password be changed to one supplied 
    by the originator of the communication. Staff members have access to editors' 
    passwords already, and no other editor will ever require it. If editors do 
    receive a password request, they are urged to ignore it. </p>
  
<h2><a name="unreq"></a>Un-requested Password Reminders</h2>
  <p> Third parties can utilise the password reminder function to have the password 
    associated with a given account sent to the e-mail address associated with 
    said account. Therefore, it is requested that the e-mail account editors configure 
    in their profile, is secure and accessible only to the account holder. Shared 
    e-mail accounts are never appropriate to be used in conjunction with DMOZ. 
  </p>
  <p>If editors receive a password reminder that they did not request, there is 
    not necessarily cause for concern -- the password has been sent to the appropriate 
    editor; not the requester. It is possible that the password was requested 
    accidentally. </p>
  
<h2><a name="frames"></a>Accessing Restricted Areas of DMOZ from Framed Environments 
</h2>
  <p>It is strongly suggested that editors do not access any restricted area of 
    DMOZ in a framed environment, i.e. a frameset from a third party site (even 
    a trusted third-party) that calls a URL pointing to a restricted area of DMOZ 
    from any frame. Multiple vulnerabilities have been discovered in browsers 
    that allow a malicious third party to influence the interactions between a 
    user and an unrelated site, and it is likely that many clients will suffer 
    from such a flaw if not now, in the future. If editors insist on accessing 
    DMOZ from a framed environment, it is recommended that they store the frameset 
    document, and all related files, on a local disk, and use them from there. 
  </p>
  
<h2><a name="storing"></a>Storing Your Password </h2>
<p>Editors should memorise their password, and enter it when prompted by dmoz.org 
  via their Web client. The password should not be committed to paper, stored 
  in a retrieval system, or transmitted in any form or by any means, electronic, 
  mechanical, photocopying, recording or otherwise, to anywhere other than dmoz.org. 
  Furthermore, it is requested that passwords are not encoded in URLs in any form, 
  especially the <samp>http://username:password@dmoz.org/</samp> variety. </p>
  
<h2><a name="noshare"></a>Accounts Should Not Be Shared </h2>
  <p>Editor accounts are created on a 'one account per person' basis. Editors 
    are forbidden to have multiple accounts. As a result, editors must not share 
    their accounts with any third parties, even if said party is trusted. If a 
    non-editor wishes to have access to DMOZ, they should be encouraged to apply 
    for an account of their own. </p>
  
<h2><a name="shared"></a>Accessing DMOZ from Shared Computers </h2>
  <p>The method of authentication employed by DMOZ results in many Web clients 
    caching the user's credentials for future requests from the same realm. Typically, 
    this information is only cleared from memory when the client is exited. As 
    a result, if editors access DMOZ via shared computers / terminals they should 
    take extra precautions to ensure that their credentials are cleared from their 
    client after they have completed their session, or left their computer / terminal 
    unattended. The manner in which this process can be effected will vary by 
    platform, and if editors are not familiar with this process, they are encouraged 
    to contact the system's administrator. </p>
  <p>If the client supports it, DMOZ provides a 'logout' mechanism that attempts 
    to remove the editor's credentials from their client. To use this mechanism, 
    editors should access the URL <a href="http://dmoz.org:8080/logout/">http://dmoz.org:8080/logout/</a> 
    and when prompted enter an incorrect password. </p>
  
<h2><a name="thirdp3"></a>Course of Action in the Event that Editors Know or Suspect 
  a Third Party Has Access to Their Password</h2>
  <p> If editors have any suspicion that a third party may have acquired their 
    password, they should change it immediately. If editors suspect that their 
    credentials have been obtained deceitfully or with malicious intent, they 
    are encouraged to contact <a href="mailto:staff@dmoz.org">staff@dmoz.org</a> 
    and / or a <a href="http://dmoz.org:8080/edoc/editall.html">meta editor</a> with 
    the relevant details, including any related e-mails complete with headers. 
    <i>Note</i>: No document that editors forward should contain their actual 
    password; if they do, the password should be deleted. </p>
  <p>If an editor's password no longer works, or if they think their e-mail account 
    has been hijacked, they should send an immediate e-mail to staff and a meta 
    editor requesting assistance. </p>
  
<h2><a name="seealso"></a>See Also:</h2>
<ul>
  <li> 
    <p><a href="http://dmoz.org:8080/editors/chpass.cgi">Change Password</a> - Allows 
      editors to change their account's password.
  <li> 
    <p><a href="http://dmoz.org:8080/editors/editprofile.cgi">Edit Profile</a> - Allows 
      editors to change the e-mail address their password reminders are sent to.
  <li> 
    <p><a href="http://dmoz.org:8080/cgi-bin/forgot.cgi">Forgot your Password</a> - 
      Allows editors to request that their password is sent to the e-mail address 
      associated with their account. 
  <li>
    <p><a href="http://www.ja.net/CERT/Belgers/UNIX-password-security.html">UNIX 
      Password Security</a> - Comprehensive paper by Walter Belgers.
</ul>