The use of Username and a Passwords for on-line user authentication is ubiquitous, it’s common, and therefore it’s a risk.  Technically it’s known as single-factor authentication, and as this phrase suggests it’s the weakest process used to verify somebodies identity and let them have access to your critical information on the web – other than giving them completely free access.

Salesforce use single-factor authentication to control login, but then potentially compromise even this.  The common error is assuming that you must use your email address as your Username, but this isn’t strictly correct.  The risk of using your actual email address is that leaves just one less thing to hack – a password.  Compound this with a weak password, and your Salesforce data (given any restriction imposed by the users profile) is open to the world.

Consequences of an insecure website

• Loss of business
• Destroy customer confidence and brand
• Legal liability
• Financial loss
• Costs of incident handling
(from a presentation at Barcelona DrupalCon, 2008)

So, firstly don’t use your email address as your Salesforce Username.  It will have to resemble an email address in structure, but not your actual email address.  You still need to enter a valid, and accessible, email address in each users profile – but more on this in a moment!

Secondly, use a good password.  For a good password do consider using, frequently changing, not sharing, and certainly not write down on a Post-it note and sticking it to the side of your monitor, …, a Secure Password.  Take a look, for example, at the on-line generator at the PCTools website, also available as an off-line generator – you should consider a password length of least six, and eight if you have Administrator rights.

If you’re not keen on these totally cryptic passwords then do try the following: use the first characters from each word in a line from a poem, or memorable phrase.  Sprinkle in a couple of digits, changes of case, or punctuation characters and you’ll have a secure password.

So, your Salesforce data is now secure.  Well – consider this: information security is all about identifying, and fixing, the weakest link.  If your Salesforce users have email access, which they must have, and they’ll certainly need in order to access Salesforce off-site, then their password to your email system is the weakest link!  Salesforce, and let’s be fair as do most Blogs and other Social Media sites like LinkedIn, Facebook, … allows users at the login stage to request that their password be emailed to them.  So having a weak, or freely displayed, email password gives access to Salesforce …

Earlier this week Google acquired reCAPTCHA (16th September 2009).

CAPTCHA tests are those squiggly letters that are displayed when you are buying items online, or accessing some sites.  Already more than 100,000 sites use reCAPTCHA, but Google is more likely interested in reCAPTCHAs experience in OCR (Optical Character Recognition)  -  a process “that converts scanned images into plain text [and] powers large scale text scanning projects like Google Books and Google News Archive Search.”  For more on Google’s once again contentious book-scanning programme see this article by Reuters.

Salesforce uses reCAPTCHA, and you may have already experienced it when accessing some Salesforce resources.  There’s also a brief introduction to understanding CAPTCHA on the Salesforce developerforce site, some of which is copied from the reCAPTCHA site.

So, what’s all this to do with salesforce leads?

Salesforce allow you to very easily generate the code for capturing lead contact data entered into a web site form.  The so called Web2Lead functionality.  But there’s a problem with the default code.  Essentially your organisation Id is exposed and unscrupulous coders could easily use you Web2Lead details to propagate SPAM (see the Salesforce Ideas entry).

reCAPTCHA to the rescue!  As a proof of concept I have created a web page to capture lead details.  I’ve extended it to include extra custom fields (e.g. a picklist: prefered method of contact), immediate (a fully configurable) validation of the data entered, and reCAPTCHA to prove your human …

You can test all this functionality on my other site: http://www.bdgreen.it …

Note: The web page also makes use of the another reCAPTCHA function that enable you to obscure (again to prevent SPAMMERS) your contact email address.