Things that make a developer cry 6
So, we’re doing a cobranding exercise at work. The idea being we serve up a branded version of amazing tunes in a subdomain of our partner, their users get a skinned version of the site that feels like part of the partner’s site, we get an influx of new users and everybody is happy. One aspect of this is we’re using the partner’s site to handle authentication.
Today, we got all our ducks in a row and started authenticating against the partner’s SOAP service as part of our user testing. So off I went to the partner site and set up an account…
At amazing tunes, we’re pretty scrupulous about password security, we never store plaintext passwords, any request that involves a password being sent is done over an https connection. It’s just the right thing to do.
After I’d finished setting up my account on the partner’s website I was presented with a screen that looked something like:
Your username is: pdcawley
Your password is: fucknuckle
At least it was an https connection, but it doesn’t exactly fill me with delight.
For the avoidance of doubt
I have not now, nor have I ever used fucknuckle as a password, and would appreciate it if any cracker arsebiscuits reading this don’t go trying it everywhere. I haven’t used ‘arsebiscuit’ as a password either, in case you were wondering…
And don’t forget to condemn MD5 encrypted passwords.
Well, just getting things out of cleartext would be a start, but I take your point.
What is current good practice for stashing passwords in the database? Multiple hashing with per record salt added at each round?
Very true. Note that the widely used restful_authentication plugin does something similiar: After signing up, a mail is sent to the user rendered with this template .
I store md5(SALT.$passwd).sha1(SALT.$passwd) where the salt is a 16 character secret that the application knows and which I generated from /dev/random. That’s really overkill and there’s nothing wrong with just using MD5, I just do the extra stuff to shut my cow-orkers up.
I once had an account on a system that required the user to choose a password from a provided list. There was no limit how many times you could generate a new list, so I kept on asking for more until I found the perfect password for that account. That password was analcars.