Menu
I've always been of the impression that storing passwords in a database as plain text is (as someone else here put it) a Very Bad Thing™.
Historically, most of our server-side coding needs have been contracted out to a group of programmers. They store passwords in MySQL databases in plain text.
As the resident code monkey (incidentally, the first server-side-savvy monkey to work here, so I'm inheriting the earth, so to speak) I have this pit of the stomach feeling that it's my bum that will be on the line when this plain text nonsense is exploited.
I tried to explain to my boss how very very bad plain text passwords are, but it dawned on me: I don't think I've ever really know why they're so bad. Is there more to it than handing your hackers a list of passwords on a silver platter? That sounds bad enough for me, but in la-la land, where our websites are "secure" and impervious to any hacker, this argument doesn't seem to cut it. How can I convince (or scare) my boss into demanding hashing on his treasured websites?
Related: Encrypting/Hashing plain text passwords in database
665
Why Passwords Shouldn't Be Stored in Plain Text. When a company stores passwords in plain text, anyone with the password database—or whatever other file the passwords are stored in—can read them. If a hacker gains access to the file, they can see all the passwords. Storing passwords in plain text is a terrible practice ...
To make it simple, if passwords are in plain text, the security would be compromised by anyone having a glance at it. Now, you need to remember that website log-in isn't the only access to a database. An attacker might be able to get some information from your database in various ways.
Pros of using a password manager application: Best place to store passwords — A reputable password manager app is the best way to store passwords securely. A password manager allows you to easily create, manage, and access your secure passwords.
Plaintext just means your password is stored exactly as you write it. And that's a problem because hackers can easily read it. Be sure to read up on credential dumping and how to protect yourself.
In the military it's called "Defense in Depth". The theory is that you harden every layer you can rather than hardening just one layer and hoping it's enough.
I've heard databases like yours called "hard on the outside, soft and chewy on the inside". There are a million ways a dedicated hacker can get access to your database. Social engineering, a disgruntled employee, an ex-employee who decides to see if his login still works, or that backdoor he wrote is still there, one missed OS patch... the list goes on.
If a bad actor gets access through any of these methods, instead of just getting the data, he gets access to every username/password combination of every user of your system, and as someone pointed out, people often use the same combo for every website. So your hacker goes out and owns hundreds of people's Paypal, email, and bank accounts.
Have I painted a gruesome enough picture yet?
76
Tell him to consider that in many companies, security problems come from inside rather than out.
Now ask him how he's going to explain to his customers how hackers have stolen their passwords (which no doubt they used elsewhere) next time he has to fire someone for some reason.
Also ask him how much he thinks his customers would like to know that their passwords are visible to anyone with read access to the database.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
