Menu
I want to call "storing a password in plain text in a Database" a bad pratice... but our customer did this in his Application. They want me to renew that Application.
My point: I want to change this...but since it is not a need for our Customer it is still unclear.
How do you handle such issues regarding security? From my point of view it is difficult to explain such issues to Customers.
664
I think "bad practice" is an understatement. "Irresponsible" might be more accurate.
If it's worth to protect it with a password, it's worth doing it properly. Storing passwords in plain text is an embarrassing security breach waiting to happen.
If "security" is anywhere in your customers wishes (which I guess it is, since there are passwords), they've implicitly asked for a decent security system, which includes proper handling of passwords. They may not ask for "passwords being stored securely" (hashed and salted) because they're not the experts; that's what they hired you for.
90
Write a short, clear and jargon-free formal letter stating your concerns and concluding that in your professional opinion, it should be rectified. Address it to someone reasonably high up in the customer.
If they then choose to ignore your advice, that's their prerogative.
(Keep a copy of the letter yourself, too.)
7
If you can, a live demonstration works great. Ask the user to create an account with a password (not the password they normally use). Go into the database and retrieve, and explain that anyone who has access to your database (either by permission, or via a security breach) can simply go ahead and do this.
4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
